Cross-Media Electronic Reporting, 59848-59889 [05-19601]

Download as PDF 59848 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations ENVIRONMENTAL PROTECTION AGENCY 40 CFR Parts 3, 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403, 501, 745 and 763 [FRL–7977–1] RIN 2025–AA07 Cross-Media Electronic Reporting Environmental Protection Agency (EPA). ACTION: Final rule. AGENCY: SUMMARY: EPA is establishing the framework by which it will accept electronic reports from regulated entities in satisfaction of certain document submission requirements in EPA’s regulations. EPA will provide public notice when the Agency is ready to receive direct submissions of certain documents from regulated entities in electronic form consistent with this rulemaking via an EPA electronic document receiving system. This rule does not mandate that regulated entities utilize electronic methods to submit documents in lieu of paper-based submissions. In addition, EPA is not taking final action on the electronic recordkeeping requirements at this time. States, tribes, and local governments will be able to seek EPA approval to accept electronic documents to satisfy reporting requirements under environmental programs that EPA has delegated, authorized, or approved them to administer. This rule includes performance standards against which a state’s, tribe’s, or local government’s electronic document receiving system will be evaluated before EPA will approve changes to the delegated, authorized, or approved program to provide electronic reporting, and establishes a streamlined process that states, tribes, and local governments can use to seek and obtain such approvals. DATES: This rule shall become effective January 11, 2006. ADDRESSES: The public record for this rulemaking has been established under docket number OEI–2003–0001 and is located in the EPA Docket Center, (EPA/ DC) EPA West, Room B102, 1301 Constitution Ave., NW., Washington, DC. The EPA Docket Center Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal holidays. (See SUPPLEMENTARY INFORMATION below.) FOR FURTHER INFORMATION CONTACT: For general information on this final rule, contact the docket above. For more detailed information on specific aspects of this rulemaking, contact David Schwarz (2823T), Office of Environmental Information, U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566–1704, schwarz.david@epa.gov, or Evi Huffer (2823T), Office of Environmental Information, U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566–1697, huffer.evi@epa.gov. SUPPLEMENTARY INFORMATION: General Information A. Affected Entities This rule will potentially affect states, tribes, and local governments that have been delegated, authorized, or approved, or which seek delegation, authorization, or approval to administer a federal environmental program under Title 40 of the Code of Federal Regulations (CFR). For purposes of this rulemaking, the term ‘‘state’’ includes the District of Columbia and the United States territories, as specified in the applicable statutes. That is, the term ‘‘state’’ includes the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of Northern Marina Islands, and the Trust Territory of the Pacific Islands, depending on the statute. The rule will also potentially affect private parties subject to any requirements in Title 40 of the CFR that require a document to be submitted to EPA. Affected Entities include, but are not necessarily limited to: Category Examples of affected entities Local government ............... Publicly owned treatment works, owners and operators of treatment works treating domestic sewage, local and regional air boards, local and regional waste management authorities, and municipal and other drinking water authorities. Industry owners and operators, waste transporters, privately owned treatment works or other treatment works treating domestic sewage, privately owned water works, small businesses of various kinds, sponsors such as laboratories that submit or initiate/support studies, and testing facilities that both initiate and conducts studies. States, tribes or territories that administer any federal environmental programs delegated, authorized, or approved by EPA under Title 40 of the CFR. Federally owned treatment works and industrial dischargers, and federal facilities subject to hazardous waste regulation. Private ................................ Tribe and State governments. Federal government ........... This table is not intended to be exhaustive, but rather provides a guide for readers regarding entities likely to be affected by this action. This table lists the types of entities that EPA is now aware can potentially be affected by this action. Other types of entities not listed in the table can also be affected. If you have questions regarding the applicability of this action to a particular entity, consult the person listed in the preceding FOR FURTHER INFORMATION CONTACT section. VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 B. How Can I Get Copies of This Document and Other Related Information? 1. Docket. EPA has established an official public docket for this action under Docket ID No. OEI–2003–0001. The official public docket consists of the documents specifically referenced in this action, any public comments received, and other information related to this action. Although a part of the official docket, the public docket does not include Confidential Business Information (CBI) or other information whose disclosure is restricted by statute. The official public docket is the collection of materials that is available PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 for public viewing at the Cross-Media Electronic Reporting Rule (CROMERR) Docket in the EPA Docket Center (EPA/ DC), EPA West, Room B102, 1301 Constitution Ave., NW., Washington, DC. The EPA Docket Center Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal holidays. The telephone number for the Public Reading Room is (202) 566–1744, and the telephone number for the Office of Environmental Information Docket is (202) 566–1752. You may have to pay a reasonable fee for copying. An electronic version of the public docket is available through EPA’s E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations electronic public docket and comment system, EDOCKET. You may use EDOCKET at https://www.epa.gov/ edocket/ to view public comments, access the index listing of the contents of the official public docket, and to access those documents in the public docket that are available electronically. Although not all docket materials may be available electronically, you may still access any of the publicly available docket materials. After selecting the ‘‘Using EDOCKET’’ icon, select ‘‘quick search,’’ then key in the appropriate docket identification number. Double click on the document identification number to bring up the docket contents. 2. Electronic Access. You may access this Federal Register document electronically through the EPA Internet under the ‘‘Federal Register’’ listings at https://www.epa.gov/fedrgstr/. Organization of This Document Information in this Preamble is organized as follows: I. Overview A. Why does the Agency seek to provide electronic alternatives to paper-based reporting and recordkeeping? B. What does the electronic reporting rule do? C. What is the status of the proposed electronic recordkeeping provisions? D. How were stakeholders consulted during the development of today’s final rule? E. What alternatives to today’s final rule did EPA consider? II. Background A. What has been EPA’s electronic reporting policy? B. How does today’s final rule change EPA’s electronic reporting policy? III. Scope of the Electronic Reporting Rule A. Who may submit electronic documents? B. Which documents can be filed electronically? C. How does this final rule implement electronic reporting? IV. Major Changes from Proposed Electronic Reporting Provisions A. How does the rule streamline the approval of electronic reporting under authorized state, tribe, and local government programs? 1. Review of the proposal 2. Comments on the proposal 3. Revisions in the final rule B. How has EPA revised the requirements that state, tribe, and local government electronic reporting programs must satisfy? 1. Review of the proposal 2. Comments on the proposed criteria for electronic document receiving systems 3. Revisions to the criteria in the final rule C. How has EPA accommodated electronic submissions with follow-on paper certifications? D. How has EPA changed proposed definitions of terms? 1. Definition of ‘‘acknowledgment’’ VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 2. Definition of ‘‘electronic document’’ 3. Definition of ‘‘electronic signature’’ 4. Definition of ‘‘electronic signature device’’ 5. Definition of ‘‘transmit’’ 6. Definition of ‘‘valid electronic signature’’ V. Requirements for Direct Electronic Reporting to EPA A. What are the requirements for electronic reporting to EPA? B. What is the status of existing electronic reporting to EPA? C. What is EPA’s Central Data Exchange? 1. Overview of general goals 2. Comments on the proposal 3. The aspects of CDX that have not changed since proposal 4. The major changes that EPA has made to CDX since proposal D. How will EPA provide notice of changes to CDX? VI. Requirements for Electronic Reporting under EPA-Authorized Programs A. What is the general regulatory approach? B. When must authorized state, tribe, or local government programs revise or modify their programs to allow electronic reporting? 1. The general requirement 2. Deferred compliance for existing systems C. What alternative procedures does EPA provide for revising or modifying authorized state, tribe, or local government programs for electronic reporting? 1. The application 2. Review for completeness 3. EPA actions on applications 4. Revisions or modifications associated with existing systems 5. Public hearings for Part 142 revisions or modifications 6. Re-submissions and amendments D. What general requirements must state, tribe, and local government electronic reporting programs satisfy? E. What standards must state, tribe, and local government electronic document receiving systems satisfy? 1. Timeliness of data generation 2. Copy of record 3. Integrity of the electronic document 4. Submission knowingly 5. Opportunity to review and repudiate copy of record 6. Validity of the electronic signature 7. Binding the signature to the document 8. Opportunity to review 9. Understanding the act of signing 10. The electronic signature or subscriber agreement 11. Acknowledgment of receipt 12. Determining the identity of the individual uniquely entitled to use a signature device VII. What are the Costs of Today’s Rule? A. Summary of proposal analysis B. Final rule costs C. General changes to methodology and assumptions VIII. Statutory and Executive Order Reviews A. Executive Order 12866 B. Executive Order 13132 C. Paperwork Reduction Act D. Regulatory Flexibility Act PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 59849 E. Unfunded Mandates Reform Act F. National Technology Transfer and Advancement Act G. Executive Order 13045 H. Executive Order 13175 I. Executive Order 13211 (Energy Effects) J. Congressional Review Act I. Overview A. Why does the Agency seek to provide electronic alternatives to paper-based reporting and recordkeeping? In the Federal Register of August 31, 2001 (66 FR 46162), EPA published a notice of proposed rulemaking, announcing the goal of making electronic reporting and electronic recordkeeping available under EPA regulatory programs. The Agency believes that the submission and storage of electronic documents in lieu of paper documents can: • Reduce the cost and burden of data transfer and maintenance for all parties to the data exchanges; • Improve the data and the various business processes associated with its use in ways that may not be reflected directly in cost-reduction, e.g., through improvements in data quality, and the speed and convenience with which data may be transferred and used; and • Maintain the level of corporate and individual responsibility and accountability for electronic reports and records that currently exists in the paper environment. Recent federal policy and law are also strong drivers of electronic alternatives to traditional reporting and recordkeeping. The Government Paperwork Elimination Act (GPEA) of 1998, Title XVII of Public Law 105–277, requires the Director of the Office of Management and Budget (OMB) to ensure that executive agencies provide for the option of the electronic maintenance, submission, or disclosure of information as a substitute for paper when practicable, and for the use and acceptance of electronic signatures, when practicable. See GPEA section 1704. Given the enormous strides in data transfer and management technologies, particularly in connection with the Internet, replacing paper with electronic data transfer now promises increased productivity across almost all facets of business and government. In seeking to make electronic alternatives available that were not contemplated when most existing EPA regulations were written, EPA was mindful of the need to maintain our ability to carry out our statutory environmental and health protection mission, in part through ensuring the integrity of environmental compliance documents. Accordingly, the intended E:\FR\FM\13OCR3.SGM 13OCR3 59850 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations effect of the proposed regulation was to permit and encourage the use of electronic technologies in a manner that is consistent with EPA’s overall mission and that preserves the integrity of the Agency’s compliance and enforcement activities. The Agency believes that it is essential to ensure that electronic reports can play the same role as their paper counterparts in providing evidence of what was reported and to what identified individuals certified with respect to the report. Otherwise, electronic reporting places at risk the continuing viability of self-monitoring and self-reporting that provides the framework for compliance under most of our environmental programs. The purpose of today’s final rule is therefore twofold. Today’s rule is intended to provide regulated industry, EPA, and state, tribe, and local governments with electronic reporting alternatives that improve the efficiency, the speed, and the quality of regulatory reporting. At the same time, the rule is intended to ensure the legal dependability of electronic documents submitted under environmental programs. This includes, among other things, ensuring that individuals will be held as responsible and accountable for the electronic signatures, which they execute, and for the documents to which such signatures attest as they currently are in cases of documents where they execute handwritten signatures. B. What does the electronic reporting rule do? EPA is announcing today the final regulatory provisions in a new part 3 of Title 40 of the CFR for electronic reporting to EPA and under authorized state, tribe, and local government programs. ‘‘Authorized program’’ is shorthand for a federal program that EPA has delegated, authorized, or approved a state, tribe or local government to administer under other provisions of title 40 of the CFR, where the delegation, authorization, or approval has not been withdrawn or expired. Section 3.3 of the rule codifies this usage in the regulatory text. This use of ‘‘authorized’’ does not mean that EPA is precluded from an enforcement action by a prior enforcement action being taken by a state, tribe, or local government under its authorized program. The final rule incorporates changes made after publication of the proposed rule that are discussed in detail in section IV of this Preamble. This rule establishes electronic reporting as an acceptable regulatory alternative across a broad spectrum of EPA programs, and establishes VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 requirements to assure that electronic documents are as legally dependable as their paper counterparts. The requirements in Subpart B of the rule apply to entities that choose to submit electronic documents for direct reporting to EPA, including state, tribe, and local government facilities that choose to submit electronic documents to EPA to satisfy requirements that apply to them under other provisions of title 40 of the CFR. However, the scope of this final rule excludes any data transfers between EPA and states, tribes, or local governments as a part of their authorized programs or as a part of administrative arrangements between states, tribes, or local governments and EPA to share data. The requirements in Subpart D of the rule provide for electronic reporting under authorized state, tribe, and local government programs and apply to the governmental entities administering the authorized programs. Under the final rule, states, tribes, and local governments have the choice of using electronic submission rather than paper for reporting under their authorized programs. Comments on the proposed rule indicated that some states and local governments are now requiring electronic reporting under those programs. Existing electronic document receiving systems must receive EPA approval in accordance with Subpart D in order to meet the requirements of part 3. This rule does not require that any document be submitted electronically, and it does not require any state, tribe, or local authorized program to receive electronic documents. Public access to environmental compliance information is not affected by today’s action. Additionally, the scope of the final rule specifically excludes the submission of any electronic document via magnetic or optical media—for example via diskette, compact disk (CD), digital video disc (DVD), or tape— as well as the transmission of documents via hard copy facsimile or ‘‘fax.’’ The exclusion of magnetic or optical media submissions from the scope of this rule in no way indicates EPA’s rejection of these technologies as a valid approach to paperless reporting. Magnetic and optical media submissions fulfill the goal of providing alternatives to submission on paper. EPA has already successfully implemented a paperless reporting alternative that utilizes magnetic and optical media submissions to fulfill many regulatory reporting requirements. Such instances include reporting related to the hazardous waste, Toxic Release Inventory, and pesticide registration programs. EPA expects these magnetic PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 and optical media approaches to paperless reporting to continue, and nothing in today’s rule should be interpreted to proscribe or discourage them. For entities that report to EPA directly and do so by submitting electronic documents, today’s action requires that these documents be submitted either to the Agency’s centralized electronic document receiving system, called the ‘‘Central Data Exchange’’ (CDX), or to alternative systems designated by the Administrator as described herein and in a separate Federal Register notice. Entities that submit electronic documents directly to EPA will satisfy the requirements in today’s rule by successfully submitting their reports to one of these systems. While we do not intend to codify any of the details of how CDX operates or how it is constructed, the characteristics of the CDX and the submission scenarios are described later in this Preamble. In addition, the CDX design specifications are included as a part of this rulemaking docket. Many facilities submit documents directly to states, tribes, or local governments under authorized programs. For currently authorized programs that receive or wish to begin receiving electronic documents in lieu of paper, this rule requires EPA approval of program revisions or modifications that address their electronic reporting implementations. For programs initially seeking authorization, this rule requires EPA approval of any electronic reporting components of the programs. In both cases, EPA approval will be based largely on an assessment of the program’s ‘‘electronic document receiving system’’ that is or will be used to implement electronic reporting. For this purpose, this rule includes performance-based standards that EPA will use to determine that an electronic document receiving system is acceptable. To implement electronic reporting under currently authorized programs, EPA is creating a streamlined procedure that states, tribes, and local governments may use to revise or modify their authorized programs to incorporate electronic reporting. Today’s rulemaking also includes special provisions for authorized programs’ electronic document receiving systems that exist at the time of publication of this final rule. It is worth noting that EPA can approve changes to authorized state, tribe, or local programs that involve the use of CDX to receive data submissions from their reporting communities, and EPA is exploring opportunities to E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations leverage CDX resources for use by states, tribes, and local governments. As currently implemented, CDX provides the major systems infrastructure components necessary to achieve electronic reporting consistent with the standards in this rule for assessing state, tribe, or local government electronic document receiving systems. Additionally, EPA has set the goal of making CDX operations fully consistent with the requirements in today’s rule within two years. While today’s rule establishes electronic reporting as a regulatory alternative, EPA will make the electronic submission alternative available for specific reports or other documents only as EPA announces its readiness to receive them through CDX or another designated system. EPA will publish announcements in the Federal Register as CDX and other systems become available for particular environmental reports. These elements are discussed in more detail in section V of this Preamble. In a notice published concurrently with today’s rule, EPA clarifies the status of electronic reporting directly to EPA systems that exist as of the rule’s publication date. In accordance with 40 CFR 3.10, EPA is designating for the receipt of electronic submissions, all EPA electronic document receiving systems currently existing and receiving electronic reports as of the date of the notice. This designation is valid for a period of up to two years from the date of publication of the notice. During this two-year period, entities that report directly to EPA may continue to satisfy EPA reporting requirements by reporting to the same systems as they did prior to CROMERR’s publication unless EPA publishes a notice that announces changes to, or migration from, that system. Any existing system continuing to receive electronic reports at the expiration of this two-year period must receive redesignation by the Administrator under § 3.10. Notice of such redesignation will be published in the Federal Register. C. What is the status of the proposed electronic recordkeeping provisions? At this time, EPA is only finalizing the provisions for electronic reporting to EPA and under authorized programs. The August 31, 2001, proposal, however, also addressed records that EPA or authorized programs require entities to maintain under any of the environmental programs governed by Title 40 of the CFR or related state, tribe, and local laws and regulations. For such records, EPA proposed specific provisions for administering the VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 maintenance of electronic records under these environmental regulations. EPA proposed criteria under which the Agency would consider electronic records to be trustworthy, reliable, and generally equivalent to paper records in satisfying regulatory requirements. For entities that choose to keep records electronically, the proposal would have required the adoption of best practices for electronic records management. For facilities maintaining records to satisfy the requirements of authorized programs, the proposal would have allowed for EPA approval of changes to the authorized programs to provide for electronic recordkeeping. Under the proposal, approval would have been based on a determination that the authorized program would require best practices for electronic records management, corresponding to EPA’s provisions for electronic records maintained to satisfy EPA recordkeeping requirements. Further, EPA proposed that once the rule took effect, any records subject to the rule that were maintained to satisfy the requirements of EPA programs could only be maintained electronically after EPA announced in the Federal Register that EPA was ready to allow electronic records maintenance to satisfy the specified recordkeeping requirements. Also under the proposal, records maintained under an authorized state, tribe, or local government program could only be maintained electronically once EPA had approved the necessary changes to the authorized program. Based on the comments received on the proposed electronic recordkeeping provisions, EPA reconsidered its approach to electronic recordkeeping and is not issuing final recordkeeping rules at this time. The Agency is conducting additional analysis and intends to publish a supplemental notice or re-proposal to solicit additional comments before a final rule on electronic recordkeeping is issued. We will be reviewing provisions related to the methods used to ensure accuracy, accessibility and the ability to detect alterations of records stored electronically, as well as other possible controls for electronic recordkeeping. The Agency intends to utilize this review to engage states, tribes, local governments, and industry in meaningful consultation to ensure that the EPA has the best available information on which to base its decisions. In conjunction with these consultations—and before issuing any notice or re-proposal—EPA will conduct additional analysis on the costs and benefits of alternative approaches, and the technical feasibility of various PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 59851 options, with a focus on impacts to small businesses. Today’s rule does not authorize the conversion of existing paper documents retained to comply with existing recordkeeping requirements under other provisions of Title 40 of the CFR to an electronic format for record-retention purposes. D. How were stakeholders consulted during the development of today’s final rule? This final rule reflects more than ten years of interaction with stakeholders that included states, tribes, and local governments, industry groups, environmental non-government organizations, national standard setting committees, and other federal agencies. As detailed in the proposal, many of our most significant interactions involved electronic reporting pilot projects conducted with state agency partners, including the States of Pennsylvania, New York, Arizona, and several others. In May, 1997, work began with approximately 35 states on the State Electronic Commerce/Electronic Data Interchange Steering Committee (SEES) convened by the National Governors’ Association (NGA) Center for Best Practices (CBP). Also, EPA sponsored a series of conferences and meetings, beginning in June, 1999, with the explicit purpose of seeking stakeholder advice before drafting the proposal. Reports of these conferences and meetings are available in the docket for this rulemaking, along with the product of the SEES effort, a document entitled, ‘‘A State Guide for Electronic Reporting of Environmental Data,’’ and reports on some of the more recent state/EPA electronic reporting pilots. For the proposal, EPA provided a 6month public comment period, which closed on February 27, 2002. During that time, we received 184 sets of written comments on the proposed rule. The commenters represented a broad spectrum of interested parties: States, local governments, specific businesses, trade associations, and other federal agencies. Substantive changes to the electronic reporting provisions based on public comments are discussed in detail in section IV of this Preamble. In addition, EPA received comments at four public meetings held around the country and at two meetings with states held in Washington, DC. The comments and meeting summaries can be found in the docket to this rulemaking. Today’s final rule reflects many of the comments and concerns raised by commenters on the proposal. (A complete discussion of the options considered by EPA and other background information on the Agency’s policy on electronic reporting E:\FR\FM\13OCR3.SGM 13OCR3 59852 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations can be found in the proposed rule.) The majority of comments focused on the costs and burden of the proposed Subpart D electronic recordkeeping provisions. EPA’s response to public comments to the proposal can be found in the rulemaking docket, in the Response to Comments document. E. What alternatives to today’s final rule did EPA consider? EPA considered both a more stringent and a less stringent alternative to the regulatory approach taken in this rule. The more stringent alternative is reflected in the electronic provisions published, August 31, 2001, in the Notice of Proposed Rulemaking for CROMERR. The proposed version of CROMERR was more stringent by virtue of setting much more prescriptive, detailed requirements that electronic document receiving systems would have to satisfy. For example: • Proposed § 3.2000(d) contained very specific requirements for submitter identity management that a system would have to satisfy, including detailed requirements for renewal of registration and revocation of registration under specified circumstances; • Proposed § 3.2000(e) contained very detailed requirements for the signature/ certification scenario that a system would have to provide for, specifying the exact sequence of steps to be followed in electronically signing a submission, and requiring such features as on-screen, scroll-through presentation of the data to be submitted for review of the signatory prior to signing. EPA received significant public comment on this approach, both from states and from regulated companies, and there were at least three closely related themes. The first was that such prescriptive requirements would greatly limit the flexibility of states to implement electronic reporting in a cost-effective way. The second theme was that many of the requirements— especially those specifying the signature/certification scenario—were not appropriate to many cases where electronic reporting would occur. Third and finally, many of these commenters expressed skepticism that these very detailed requirements represented the only possible approach to ensuring the legal dependability of electronic submissions and signatures. These themes are discussed in detail in section IV.B of this Preamble. EPA also considered a less stringent alternative that would have refrained from specifying requirements to establish the identity of an individual to VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 whom a signature device or credential (e.g. a PIN, password, or PKI certificate) is issued. This less stringent alternative would have omitted the provision for identity-proofing in the final § 3.2000(b)(5)(vii). In terms of regulatory impact, this would be a significant reduction in stringency. Most of the burden on regulated entities imposed by today’s rule is associated with the registration process involved in obtaining a signature device or credential, and any requirement to establish the registrant’s identity raises the aggregate burden substantially. EPA rejected this less stringent alternative, because we believe that it would seriously undermine the rule’s ability to assure the legal dependability of electronic submissions. It is a basic principle of electronic authentication (E-authentication) that individuals being authenticated are who they say they are. E-authentication depends critically on the degree of trust we can place in the credential the individual presents, and such trust depends heavily on the process of establishing the individual’s identity (or ‘‘identity-proofing’’) when he or she first registers for the credential. If the identity-proofing process is not sufficiently stringent and credible, then it may be uncertain who is using the credential in a specific instance where it is presented. Where the credential is used to create an electronic signature, inadequate identity-proofing may create uncertainty as to who the signatory is, as a result, the signature may be rendered undependable for any legal purpose. Accordingly, EPA believes that, notwithstanding the cost, it is necessary to specify that identity-proofing be conducted. The § 3.2000(b)(5)(vii) identity-proofing requirement is explained in detail in section VI.E.12 of this Preamble. II. Background A. What has been EPA’s electronic reporting policy? On September 4, 1996, EPA published a document entitled ‘‘Notice of Agency’s General Policy for Accepting Filing of Environmental Reports via Electronic Data Interchange (EDI)’’ (61 FR 46684) (hereinafter referred to as ‘the 1996 Policy’), where ‘‘EDI’’ generally refers to the transmission, in a standard syntax, of unambiguous information between computers of organizations that may be completely external to each other. This notice announced EPA’s basic policy for accepting electronically submitted environmental reports, and its scope was intended to include any regulatory, PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 compliance, or informational (voluntary) reporting to EPA via EDI. For purposes of the 1996 policy, the standard transmission formats used by EPA were to be based on the EDI standards developed and maintained by the American National Standards Institute (ANSI) Accredited Standards Committee (ASC) X12. By linking our approach to the ANSI X12 standards, we hoped to take advantage of the robust ANSI-based EDI infrastructure already in place for commercial transactions, including a wide array of commercial off-the-shelf (COTS) software packages and communications network services, and a growing industry community of EDI experts available both to EPA and to the regulated community. At the time EPA was writing this policy, ANSIbased EDI was arguably the dominant mode of electronic commerce across almost all business sectors, from aerospace to wood products, at least in the United States. (A complete discussion of EPA’s 1996 policy can be found in the preamble to the proposed rule.) With this final rule, EPA is making changes to the 1996 policy for three primary reasons. First, and most important, the technology environment has changed substantially since the 1996 policy was written. Web-based electronic commerce and public key infrastructure (PKI) are two examples. While both were available and in use for some purposes in 1996, they had not yet achieved the level of acceptance and use that they enjoy today. We could not have anticipated in 1996 that this evolution would occur as rapidly as it has. Clearly, these developments require that we extend our approach to electronic reporting beyond EDI and Personal Identification Numbers (PINs). In addition, they teach us that it is generally unwise to base regulatory requirements on the existing information technology environment or on assumptions about the speed and direction of technological evolution. Second, we believe that technologyspecific provisions would be very complex and unwieldy. The resulting regulation would likely place unacceptable burdens on regulated entities trying to understand and comply. Third, and finally, an electronic reporting architecture that makes a centralized EPA or state system the platform for such functions as electronic signature/certification is now quite viable—and quite consistent with the standard practices of Web-based electronic commerce. Given the state of technology six years ago, we could not E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations have considered this approach in the 1996 policy. B. How does today’s final rule change EPA’s electronic reporting policy? For practical purposes, the most important change that today’s rule makes is in our technical approach to electronic reporting. In contrast to the 1996 policy, today’s rule does not generally specify or limit the range of allowable electronic submission technologies and formats. Under today’s rule, complaint electronic reporting approaches can include user-friendly ‘smart’ electronic forms to be completed on-line or downloaded for completion off-line at the user’s personal computer, as well as data transfers via the Internet or secure email in a variety of standard and common off-the-shelf, applicationbased formats. Similarly, in terms of electronic signature technology, the rule allows for a range of approaches, including various implementations of PINs and passwords, the use of private or personal information, digital signatures based on PKI certificates, and other signature technologies as they become viable for our applications. As EPA or authorized programs implement electronic submission for specific reports, the rule allows them to select one or more of the available submission and signature approaches according to their circumstances and the programspecific requirements. EPA’s goals are to make this electronic reporting alternative as simple, attractive and cost-effective as possible for reporting entities, while ensuring that electronically submitted documents are as legally dependable as their paper counterparts. We believe that today’s rule achieves these goals, but—unlike the 1996 policy—without requiring specific technologies or setting detailed procedural steps for the submission of electronic documents. Our strategy—as initially set out in the August 31, 2001, notice of proposed rulemaking, and as finalized today—is to impose as few specific requirements as possible on reporting entities, and to generally keep requirements neutral with respect to technology. As a consequence, today’s rule enables EPA, the states, tribes, and local governments to offer regulated companies diverse approaches to electronic reporting that can be tailored to their technical capabilities and to the level of automation they wish to achieve. In addition, the strategy gives EPA, the states, tribes, and local governments the flexibility to adapt electronic reporting systems to evolving technologies without requiring that regulations be VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 amended with each technological innovation. However, this regulatory strategy does not mean abandoning any control over how electronic documents are submitted. In place of specific technologies or detailed procedural steps, today’s rule requires that electronic submissions be made to CDX or other designated EPA systems, or to state, tribe, or local government systems that are determined to satisfy a certain specified set of technology-neutral performance standards. As a practical matter, the use of these systems (e.g., CDX or others that meet the specified performance standards) will involve submission procedures that we believe are sufficient to ensure the legal dependability of electronic reports so that they meet the needs of our compliance and enforcement programs. In addition, while the specified performance standards may be technology-neutral, agency electronic reporting systems that implement the standards will incorporate suites of very specific technologies that will further determine the process for actual electronic submission. Sections V.B and V.C of this Preamble describe these requirements and the associated technologies in some detail for the case of reporting directly to EPA via CDX. III. Scope of the Electronic Reporting Rule EPA is today promulgating a new Part 3 in Title 40 of the CFR. The new Part applies to all persons who submit reports or other documents to EPA under Title 40, and to state, tribe, and local programs that administer or seek to administer authorized programs under Title 40. The new part 3 does not address contracts, grants or financial management regulations contained in Title 48 of the CFR. A. Who may submit electronic documents? Any entity that submits documents addressed in this rule (see section III.B., below) directly to EPA can submit them electronically as soon as EPA announces that CDX or a designated alternative system is ready to receive these reports. (See section V of this Preamble for a discussion on requirements for electronic reporting to EPA, and section V.B for a discussion of the status of electronic reporting directly to EPA systems that exist as of the rule’s publication date.) Under this rule, the affected entities may elect to utilize the electronic reporting alternative. These entities are not required by this final rule to report electronically; however, they may be required to report PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 59853 electronically under other Title 40 regulations, and nothing in today’s rule limits EPA’s ability to require electronic reporting under other parts of Title 40. In general, entities may submit documents electronically as provided for under authorized state, tribe, or local government programs. Nothing in this rule prohibits state, tribe, or local governments from requiring electronic reporting under applicable state, tribe, or local law. B. Which documents can be filed electronically? This rule addresses document submissions required by or permitted under any EPA or authorized state, tribe, or local program governed by EPA’s regulations in Title 40 of the CFR. Nonetheless, EPA will need time to develop the hardware and software components required for each individual type of document. Similarly, states, tribes, and local governments will need time to evaluate their electronic document receiving systems to ensure that they meet the standards promulgated in today’s final rule. Accordingly, once this rule takes effect, specific documents submitted directly to EPA that are not already being submitted electronically to existing EPA systems can only be submitted electronically after EPA announces in the Federal Register that CDX or an alternative system is ready to receive those specific documents. (See section V.B of this Preamble for a discussion of the status of electronic reporting directly to EPA systems that exist as of the rule’s publication date.) Documents may be submitted electronically under the provisions of an authorized state, tribe, or local program. C. How does this final rule implement electronic reporting? The new 40 CFR part 3 consists of four (4) Subparts. Subpart A provides that any requirement in Title 40 to submit a report directly to EPA can be satisfied with an electronic submission that meets certain conditions (specified in Subpart B) once the Agency publishes a notice that electronic document submission is available for that requirement. Subpart A also provides that electronic reporting can be made available under EPA-authorized state, tribe, or local environmental programs. In addition, Subpart A makes clear: (1) that electronic document submission, while permissible under the terms of this rule, is not required by any provision of this rule; and (2) that this rule confers no right or privilege to submit data electronically and does not obligate EPA or states, tribes, or local E:\FR\FM\13OCR3.SGM 13OCR3 59854 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations agencies to accept electronic data. Subpart A also contains key definitions and discusses compliance and enforcement. Subpart B sets forth the general requirements for acceptable electronic documents submitted to EPA. It provides that electronic documents must be submitted either to CDX or to other EPA designated systems. It also includes general requirements for electronic signatures. The requirements in Subpart B apply to entities that submit electronic documents for direct reporting to EPA, including states, tribes, and local governments that submit electronic documents to EPA to satisfy requirements that apply to them under Title 40 of the CFR. Subpart B does not apply to any data transfers between EPA and states, tribes, or local governments as a part of their authorized programs or as a part of administrative arrangements between states, tribes, or local governments and EPA to share data. Additionally, Subpart B does not apply to the submission of any electronic document via magnetic or optical media—for example via diskette, compact disk, or tape—or to the transmission of documents via hard copy facsimile or ‘‘fax.’’ Subpart C is reserved for future EPA electronic recordkeeping requirements. Finally, Subpart D sets forth the process and standards for EPA approval of changes to authorized state, tribe, and local environmental programs to allow electronic reporting to satisfy requirements under these programs. Again, for purposes of Subpart D, ‘‘electronic reporting’’ entails submission via telecommunications, and Subpart D requirements do not apply in cases of submission via magnetic or optical media or hard copy ‘‘fax.’’ With respect to electronic reporting, Subpart D includes simplified performance-based standards for acceptable state, tribe, or local agency electronic document receiving systems against which EPA will assess authorized program electronic reporting elements. It also provides a streamlined process for approving applications for revisions to authorized programs for electronic reporting. Given the provisions of Subpart A, a regulated entity wishing to determine whether electronic reporting directly to EPA was available under some specific regulation will have to verify that EPA has published a Federal Register notice announcing their availability and will have to locate any additional provisions or instructions governing the electronic alternative for the particular reporting requirement. To facilitate this VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 determination, EPA intends to maintain an easily accessed list of EPA reports for which electronic reporting has been implemented—cross-referencing the applicable Federal Register notices—on the Exchange Network and Grants webpage at www.epa.gov/ exchangenetwork. IV. Major Changes From Proposed Electronic Reporting Provisions A. How does the rule streamline the approval of electronic reporting under authorized state, tribe, and local government programs? 1. Review of the proposal. EPA proposed that states, tribes, and local governmental entities would use the procedures for program revision or modification provided in existing program-specific regulations governing state, tribe, or local authorized programs. In the Preamble to the proposed rule, we noted that our approach raised certain administrative concerns, especially in cases where a governmental entity wished to use a single system to accept electronic submissions across a number of authorized programs, corresponding to EPA’s use of CDX to receive reports across EPA programs. To receive EPA approval for such implementations, the governmental entity would have to apply for revision or modification under each authorized program affected, using procedures that might vary substantially from program to program. While these procedures might vary, each substantive review would still refer to the same proposed part 3 criteria, and—in the case of a single system implementation—would apply these criteria to the same system. EPA intended this approach to facilitate an administrative streamlining of the approval process, by allowing a single EPA review of all cross-program applications associated with a particular electronic document receiving system, which would enable EPA to make a single decision to approve or disapprove all the associated applications. While this approach would not eliminate multiple applications, it would at least simplify the interactions between the applicant and EPA during substantive review, and would speed EPA action on the applications themselves. EPA also considered more radical streamlining alternatives, including a centralized approval process provided for by regulation, and the proposal requested comment on whether any of these alternatives would be preferable to the administrative approach to streamlining. PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 2. Comments on the proposal. In comments on the provisions for electronic reporting under authorized programs, a recurring theme was the complexity of the proposed requirements for EPA approval of program revisions or modifications to allow electronic reporting. The comments in many cases seemed directed equally to the approval process and to the proposed criteria for approval. Comments on the criteria are discussed in more detail in section IV.B.2 of this Preamble. As for the comments that clearly addressed the process, there were two major concerns. The first was that the process, due to the various current program authorization regulations, is inherently complicated, timeconsuming and resource-intensive. In a few cases, commenters noted the particular worry that having to seek EPA approval for each program implementing electronic reporting would be especially burdensome, and that EPA’s proposed approach of streamlining the internal review component of the program revision process would be of little help. The second concern was the impact of the rule on electronic reporting that was already underway. Commenters noted that many authorized programs are already accepting electronic submissions, or would be by the time the final rule is published, and they worried about the timing of the requirement that the electronic document receiving systems they use for this purpose be approved by EPA under associated program revision or modification procedures. Under the proposed provisions, such systems would have to be EPA-approved as soon as the rule became effective, which was not practicable. Given the need to address the criteria for approval, such applications could only be initiated once the rule was finalized, and they might take months to complete and get approved, or substantially longer in cases where the revision or modification required state legislative or regulatory changes. During the months or years that the revision or modification was in process, the authorized program would either have to shut down their electronic document receiving systems or, of necessity, operate them out of compliance with the rule. Commenters were particularly concerned with the disruptive impacts of having to shut these systems down. They pointed out that reversion to paper-based submissions in such cases may be difficult and expensive, both for the agencies and for the submitting entities that are affected, and that resuming E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations system operation after a long hiatus may require resources more typically associated with system start-up. Additional comments on program revision or modification and EPA’s responses can be found in the rulemaking docket, in the Response to Comments document. 3. Revisions in the final rule. To address the concern that the proposed program revision or modification to accommodate electronic reporting was too complicated and burdensome, the final rule provides streamlined procedures for adding electronic reporting to existing authorized programs. These are optional procedures that a state, tribe, or local government may use if it chooses, in place of the applicable program-specific procedures, to seek EPA approval for revisions or modifications that provide for electronic reporting. EPA believes that in most cases these optional procedures will be substantially simpler and quicker than their program-specific alternatives. These new procedures are discussed in detail in section VI.C of this Preamble. To address the concern that the required program revisions or modifications may disrupt authorized programs that already have electronic reporting underway, the final rule provides for a two-year delayed compliance date—in effect, a two-year ‘‘grace period’’—before such programs have to submit their applications for revision or modification. Programs will be allowed this grace period where they have systems that fit the definition of ‘‘existing electronic document receiving system,’’ explained in section VI.B.2 of this Preamble. In addition, these provisions allow the grace period to be extended, on a case-by-case basis, where an authorized program may need to wait for legislative or regulatory changes before a complete application can be submitted. B. How has EPA revised the requirements that state, tribe, and local government electronic reporting programs must satisfy? 1. Review of the proposal. EPA proposed a detailed set of criteria that would have to be met by any system that is used to receive electronic documents submitted to satisfy document submission requirements under any EPA-authorized state, tribe, or local environmental program. The proposed criteria addressed the capabilities that EPA believed a state, tribe, or local government’s electronic document receiving system must have regarding six function-specific categories: (1) System security, (2) VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 electronic signature method, (3) submitter registration, (4) signature/ certification scenario, (5) transaction record, and (6) system archives. These criteria were based upon EPA’s consideration of the roles that many electronically submitted documents will likely play in environmental program management, including compliance monitoring and enforcement, and the need to ensure that such roles were not compromised by the transition from paper to electronic submission. In many respects electronic submission enhances a document’s utility for environmental programs: it significantly reduces the resources and time involved in making the content available to its users, and can greatly facilitate data quality assurance and analysis. Nonetheless, electronic submissions may also be open to challenge, primarily with respect to their authenticity, and particularly where they are used to establish the actions and intentions of the submitters. We normally consider such uses in the case of environmental reporting, especially where electronic submissions are made to report on an entity’s compliance status and where the submission includes a responsible individual’s certification to the truth of what is reported. For such cases, EPA identified a programmatic need to be able to authenticate the submission content and the certification—for example, to be able to address issues of fraud or false reporting where they arise—and it is primarily this need that was addressed by the six proposed criteria. The point of the proposal’s six function-specific categories was to ensure the authenticity of electronic documents submitted in lieu of paper reports, so that they will be able to play the same role as their paper counterparts in providing evidence of what was reported and to what an identified individual certified with respect to the report. For example, in the case of paper submissions, the evidence surrounding a handwritten signature is normally sufficient to demonstrate that the signature is authentic and rebut any attempt by the signatory to repudiate it and EPA intends the standards in today’s rule to provide evidence for electronic signatures that has a corresponding level of non-repudiation. Since these evidentiary issues typically arise in the context of judicial or other legal proceedings, electronic documents need the same ‘‘legal dependability’’ as their paper counterparts. The over-arching standard in the concept of ‘‘legal dependability’’ is that any electronic document that may be used as evidence PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 59855 to prosecute an environmental crime or to enforce against a civil violation should have no less evidentiary value than its paper equivalent. For example, where there is a question of deliberate falsification of compliance data—it must be possible to establish the signatory’s identity beyond a reasonable doubt no matter whether the submission was electronic or paper. A seventh, more general proposed criterion, entitled ‘‘Validity of Data,’’ addressed the standard of legal dependability directly. The idea, in general, was that a system used to receive electronic documents must be capable of reliably generating evidence for use in private litigation, in civil enforcement proceedings, and in criminal proceedings in which the standard for conviction is proof beyond a reasonable doubt that the electronic document was actually signed by the individual identified as the signatory and that the data it contains was not submitted in error. The six more detailed, function-specific criteria represented the requirements for satisfying this more general ‘‘Validity of Data’’ criterion. Taken together, the seven proposed criteria were intended to ensure the legal dependability of electronically submitted documents by providing: • Standards for valid electronic signatures and authentic electronic documents to be admitted as evidence in a judicial proceeding; • Assurance that electronic documents can be authenticated to provide evidence of what an individual submitted and/or attested to; and • Assurance that electronic signatures resist repudiation by the signatory. By providing for these and other facets of an electronic document’s legal dependability, proposed CROMERR was intended to preserve the ability of EPA and its authorized programs to hold individuals accountable when they certify, attest or agree to the content of compliance reports under environmental laws and statutes. By the same token, proposed CROMERR was also intended to ensure that EPA and its authorized programs will have the documentary evidence they need to bring actionable cases of false or fraudulent reporting into court. 2. Comments on the proposed criteria for electronic document receiving systems. EPA received a substantial number of comments on the proposed criteria for state, tribe, and local electronic document receiving systems, both in written submissions and at meetings with the public and with state and local government officials. While a E:\FR\FM\13OCR3.SGM 13OCR3 59856 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations few of these comments questioned the ‘‘Validity of Data’’ criterion, the great majority dealt with the detailed function-specific criteria. There were at least three recurring and closely related themes. First, the criteria were too prescriptive and inflexible, and would prevent state, tribe, and local agencies from adapting their electronic reporting approaches to their needs and changing circumstances, and foreclose new and creative ways to achieve legal dependability. Second, the criteria would make electronic reporting unnecessarily complex, costly, and burdensome. Third, while the criteria might be appropriate for some cases, the ‘‘one size fits all’’ approach was not workable for all reports in all programs. Commenters tended to associate these three themes with certain misperceptions about the proposed requirements for signature method and the signature/certification scenario. Concerning signature method, a common concern was that the criteria would require states to implement PKIbased digital signatures. Commenters generally appear to have inferred this from proposed § 3.2000(c) Electronic Signature Method, together with EPA’s own choice of PKI for some submissions to CDX, as discussed in the Preamble. Whatever EPA’s plans for CDX, state, tribe, and local government systems do not have to conform to the CDX model. Implementing a particular system of necessity requires the choice of specific technologies. To make those choices does not imply that these are the only possible choices that would satisfy whatever requirements the rule places on electronic reporting systems. Concerning § 3.2000(c), commenters tended to focus on paragraph (5) of this section, which stated that the signature method had to ensure ‘‘that it is impossible to modify an electronic document without detection once the electronic signature has been affixed.’’ EPA did not intend for this provision to establish PKI-digital signature as the required signature method. Given current technology, approaches to satisfying the § 3.2000(c)(5) requirement frequently involve the computation of a number—called a ‘‘hash’’—that has a unique relation to the content of the electronic document such that any change to the document content would change the computed hash. Given the hash, the associated document can be confirmed as unmodified at any time by calculating a new hash and showing that the new and original hashes are identical. Using such a hash-based approach, it is important to ensure that the hash has been secured from VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 tampering, and encryption is probably the most straightforward way to do this. Encryption can be accomplished in a number of ways. Approaches include PKI-based digital signature, digital signature where the asymmetric keypair is not associated with a PKI certificate, and various forms of symmetric-key cryptography. Additionally, it may be possible to avoid cryptography altogether by storing the hash value in a system with appropriately controlled access. Thus, a solution using PKI-based digital signatures represents only one among a number of possible approaches to satisfying the proposed §3.2000(c)(5) requirement. A number of commenters also misinterpreted the criteria under proposed § 3.2000(e) Electronic signature/certification scenario (especially the provisions for signatory’s review of data under § 3.2000(e)(1)(i)) as requiring signatories to scroll through their submissions on-screen before they affix their electronic signatures, and requiring state systems to enforce this required ‘‘scroll-through’’. However, the proposal provided not that the signatory must review the data on-screen, but rather that he or she be given the opportunity to do so. The example of the enforced on-screen ‘‘scroll-through’’ then envisioned for CDX, and provided in the CDX section of the proposal’s preamble, was in error. EPA did not intend to require this ‘‘scroll-through’’ of submitted data prior to signature. EPA certainly does expect and encourage reporting entities to review data intended for electronic submission prior to signature, but does not mandate this or any other particular mode or method of signatory review in today’s rule. Returning to the three comment themes—of prescriptiveness, cost and burden, and a ‘‘one size fits all’’ approach—commenters who raised the prescriptiveness issue generally argued that, even supposing that there were no specific objections to the detailed § 3.2000 provisions, EPA had failed to make the case that every single requirement under these provisions is necessary to ensure the legal dependability of electronic submissions. Commenters who argued that the proposed rule would be too costly and burdensome generally focused on § 3.2000(c)(5) and § 3.2000(e)(1)(i), discussed above, or on the proposed § 3.2000(d) registration and signature agreement provisions. There were many comments to the effect that the complex § 3.2000(d) registration and reregistration requirements would pose substantial barriers to regulated PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 company participation in electronic reporting and involve unacceptable expenses for implementing agencies. Commenters also noted that the required § 3.2000(e)(1)(i) would be difficult to integrate with company workflow practices in many cases. Finally, there is the ‘‘one size fits all’’ issue. Some of the comments raised this as another version of the ‘‘prescriptiveness’’ issue, but adding that the proposal developed just one model of electronic reporting and attempted to make it fit the differing circumstances of the various state, tribe, and local agencies that would have to comply. Other comments emphasize the point that the proposal takes requirements apparently tailored to assuring an electronic document’s authenticity and applies them to all cases of electronic reporting, whether or not the question of authenticity is likely to arise. EPA has considered these and related comments in writing today’s rule. We do not wish to set overly prescriptive requirements and so foreclose acceptable electronic reporting alternatives that could offer equivalent or better assurance of legal dependability while, perhaps, being easier for a state, tribe, or local agency to implement. We do not wish to set requirements that impose unnecessary costs or burdens. And, while we do not see a ‘‘bright line’’ around the universe of cases where document authenticity might be of concern, we also do not wish to address authenticity with requirements that leave states, tribes, and local governments with too little flexibility in how they may adapt their electronic reporting implementations to their particular circumstances. Accordingly, EPA has decided to finalize criteria for electronic document receiving systems that directly articulate the underlying goal of assuring the legal dependability of electronic documents authenticity, and to add more specific requirements only to the extent that they are needed to achieve this underlying goal. Accordingly, the provisions of today’s rule have been clarified as general performance standards necessary to ensure the legal dependability of the electronic documents they receive. Additional comments on the proposed criteria and EPA’s responses can be found in the rulemaking docket, in the Response to Comments document. 3. Revisions to the criteria in the final rule. In today’s final rule, we intend to fulfill the underlying goal of the proposed § 3.2000 criteria for electronic document receiving systems. This is to assure the authenticity and non- E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations repudiation of electronic documents submitted in lieu of paper reports, so that they are as legally dependable—that is, as admissible in evidence and accorded the same evidentiary weight— as their paper counterparts. As noted earlier, this goal was expressed most directly in the proposed § 3.2000(b) ‘‘Validity of Data’’ criterion. Accordingly, for the final rule, we started with the proposed § 3.2000(b) and then clarified the remaining proposed § 3.2000 criteria as general performance standards for electronic document receiving systems, which were incorporated as needed to assure 59857 the legal dependability of the electronic documents such systems receive. The resulting § 3.2000(b) in the final electronic reporting rule reflects the requirements discussed in the table below. The citation for the corresponding language in the proposed rulemaking is also provided. Citation/subject area in proposed rule Citation/requirement in final section 3.2000(b) Proposed § 3.2000(g), addressing system archives ................................ Section 3.2000(b)’s leading clause requires that the system be able to generate the required data as needed and in a timely manner. Section 3.2000(b)’s leading clause and § 3.2000(b)(4) require that the system be able to generate a ‘‘copy of record’’ that is made available to the submitters and/or signatories for review and repudiation. Section 3.2000(b)(5)(i) requires that the system be able to show that any electronic signature on an electronic document was created by an authorized signatory with a device that the identified signatory was uniquely entitled and able to use. Section 3.2000(b)(5)(ii) requires that the system be able to show that the electronic document cannot be altered without detection once it has been electronically signed. Sections 3.2000(b)(5)(iii)—(iv) require that the system be able to show that, before signing, any signatory had the opportunity to review what he or she was certifying to in a human-readable format, and to review the certification statement including any provisions relating to criminal penalties for false certification. Section 3.2000(b)(5)(v) requires that the system be able to show that the signatory signed an ‘‘electronic signature agreement’’ or a ‘‘subscriber agreement’’ acknowledging his or her obligations connected with preventing the compromise of the signature device. Section 3.2000(b)(5)(vi) requires that the system be able to show that it automatically sent an acknowledgment of any electronic submission it received that bears an electronic signature; the acknowledgment must identify the electronic document, the signatory and the date and time of receipt, and be sent to an address that does not share the access controls of the account used to make the submission. Section 3.2000(b)(5)(vii) requires, for each electronic signature device used create an electronic signature on documents that the system receives, that the system be able to establish the identity of the individual uniquely entitled to use that device and his or her relation to the entity on whose behalf he or she signs the documents. Proposed §§ 3.2000(e)(3) and 3.2000(f), addressing signature/certification scenarios and transaction record. Proposed §§ 3.2000(c) and 3.2000(d), addressing the electronic signature method and submitter registration process. Proposed § 3.2000(c)(5), addressing requirement that it be impossible to modify an electronic document without detection once it has been electronically signed. Proposed § 3.2000(e), addressing the signature/certification scenario ... Proposed § 3.2000(d), addressing the submitter registration process .... Proposed § 3.2000(e)(2), addressing acknowledgment ........................... Proposed § 3.2000(d)(1)–(3), addressing submitter registration. ............. The requirements in § 3.2000(b)(5)(iii)–(iv) of today’s rule, concerning ‘‘opportunity to review,’’ do not place the responsibility for providing an opportunity, or for showing whether or not an opportunity was actually taken, on the state, tribe, or local government electronic document receiving system. What is required is that the system provide evidence sufficient to show that an opportunity was provided; this point is explained in greater detail in sections VI.E.8 and VI.E.9 of this Preamble. EPA believes that the standards in § 3.2000(b) of today’s rule, as developed from the proposed ‘‘Validity of Data’’ criterion, together with other proposed criteria clarified as general performance standards, represent the minimum set of requirements for electronic document receiving systems necessary to ensure the legal dependability of the electronic documents such systems receive. For example, the requirement for a copy of record is necessary to ensure that there VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 is an authoritative answer to the question of what information content a signatory was certifying to or attesting to. The related requirement that the system be able to provide timely access to copies of record and related data reflects a practical concern that the data be accessible in time and in a format to serve the purposes for which it is needed. Concerning the requirement that signature devices be uniquely assigned to, and held by individuals, EPA believes that an acceptable electronic document receiving system must be able to attribute a signature to a specific individual, to help assure that the signatory cannot repudiate responsibility for the signature. Nonrepudiation is also strengthened by the signed electronic signature agreement, which establishes that the signatory was informed of his or her obligation to keep the signature device from compromise by ensuring that it is not made available to anyone else. Requiring the signature PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 agreement, as well as the opportunity to review what they are signing, helps establish that where signatures appear on electronic documents, the signatories had the requisite intent to certify. That is, these requirements help ensure that the signatories knew what they were signing, knew what signing meant, and understood the legal implications of false certification. As for the requirement that document content cannot be altered without detection after signature, an acceptable electronic document receiving system must provide evidence sufficient to allow a court to attribute the intention to certify to the document’s current content to the signatory, so that he or she cannot repudiate this content. Finally, today’s § 3.2000(b)(5)(vii) requirement that the system be able to establish the identity of the individual who is assigned a signature is based on proposed § 3.2000(d). Proposed § 3.2000(d) logically entails today’s § 3.2000(b)(5)(vii), because satisfying the E:\FR\FM\13OCR3.SGM 13OCR3 59858 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations provisions of the former guarantees compliance with the latter. However, today’s § 3.2000(b)(5)(vii) limits the scope of the proposed § 3.2000(d)(3) requirement that, in registering for their signature devices, registrants must execute their electronic signature agreements on paper with handwritten signatures. In today’s § 3.2000(b)(5)(vii), this requirement is limited to a special class of ‘‘priority report’’ submittals. (See section VI.E.12 of this Preamble.) In addition, today’s § 3.2000(b)(5)(vii) offers alternatives to this handwritten signature requirement, to allow electronic reporting solutions that are completely free of paper transactions. The alternative provisions, found in today’s § 3.2000(b)(5)(vii)(A)–(B), are elaborations of the proposed § 3.2000(d)(1) requirement for ‘‘evidence [of identity] that can be verified by information sources that are independent of the registrant and the entity or entities’’ for which the registrant will submit electronic documents. The elaborations are necessary to assure that individuals’ identities can be established without being able to rely on their handwritten signatures—and, in the final rule, the requirements apply only to ‘‘priority report’’ submittals, and only where the choice is made to not use paper in the execution of electronic signature agreements. Section VI.E.12 of this Preamble outlines all of today’s § 3.2000(b)(5)(vii) provisions in much more detail. In any event, we have made these changes to the proposed § 3.2000(d) approach to help address commenters’ concerns with ‘‘one size fits all’’ provisions, as well as to allow states, tribes, and local government as much flexibility as possible as they implement their electronic reporting systems. In sum, the overall approach to the standards for electronic document receiving systems in today’s rule reflects a balancing of the concerns raised by the public comments, especially those relating to the proposal’s burden on states, tribes, local governments and regulated entities, against the need to ensure the legal dependability of electronic documents submitted under authorized programs. Finally, EPA notes that to date the Agency has had limited experience with the practical application of electronic signatures and electronic reporting generally. With the benefit of practical experience accepting electronic reports under this rule, EPA may determine that this rule needs to be revisited, to either add or eliminate certain safeguards. In addition, while EPA has sought to write this rule so that VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 its provisions are technology-neutral, it remains possible that revisions will be required to reflect technological changes or changes in prevailing industry norms and practices. If these or other circumstances require it, EPA thus reserves the right to revisit the issues addressed in this rule. C. How has EPA accommodated electronic submissions with follow-on paper certifications? Currently there are EPA and state programs that take electronic submissions where the requirements for a signed certification statement are met with a follow-on paper submission with handwritten signatures. A number of commenters suggested that such an approach be recognized and allowed to continue under the electronic reporting rule. EPA has no wish to proscribe such an approach, and does not judge whether or not follow-on paper signature/certification is to be preferred to the approach where the signature/ certification is electronic. To make this clear in the final rule, we have added a clause to § 3.10(b) that allows follow-on handwritten signatures to substitute for electronic signatures on submissions to EPA where ‘‘EPA announces special provisions’’ for this purpose. A corresponding clause in § 3.2000(a)(2) of today’s rule makes a similar allowance for electronic reporting under authorized state, tribe, or local programs, again, where ‘‘the program makes special provisions to accept a handwritten signature on a separate paper submission.’’ Among other things, these ‘‘special provisions’’ would allow follow-on paper signature submission only if it were reliably linked or cross-referenced with the associated electronic document. The linking or crossreferencing is necessary in part to ensure that we can always determine which signature submissions belong with which electronic documents. Paper signature submissions must also provide sufficient evidence that the signatory intended to certify to or attest to the content of the electronic document as this content is recorded in the copy of record for the submission. There are various approaches to cross-referencing or linking that would meet these needs, most of which involve the inclusion of extra data elements in the signature submission that reference the associated electronic document. Such data elements might include summary data from the electronic document, the date and time of the electronic submission, or even the calculated hash value of the electronic document. EPA may use these and other alternatives if a decision PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 is made to provide for direct electronic reporting to EPA with follow-on paper signatures. For such submissions to authorized programs, we have added to § 3.2000(a)(2) of today’s rule the requirement that authorized program provisions for follow-on paper signature submissions ‘‘ensure that the paper submission contains references to the electronic document sufficient for legal certainty that the signature was executed with the intention to certify to, attest to, or agree to the content of that electronic document.’’ D. How has EPA changed proposed definitions of terms? The ‘‘Definitions’’ section of the final rule, § 3.3, provides new definitions for ‘‘copy of record,’’ ‘‘electronic signature agreement,’’ and ‘‘valid electronic signature,’’ as well as the revisions to the definition for ‘‘electronic signature device,’’ to help articulate the final § 3.2000(b) standards for electronic document receiving systems. These terms are explained in more detail in section VI, below. (See especially, sections VI.E.2., VI.E.10. and VI.E.6.) Similarly, in section VI.B.2 of this Preamble we note the role of the new definition for ‘‘existing electronic document receiving system;’’ and, in section VI.E.12 we discuss the new definitions for ‘‘agreement collection certification,’’ ‘‘disinterested individual,’’ ‘‘information or objects of independent origin,’’ ‘‘local registration authority,’’ ‘‘priority reports,’’ and ‘‘subscriber agreement.’’ Section 3.3 also reflects a number of clarifying and/or simplifying changes for definitions of terms, as follows. 1. Definition of ‘‘acknowledgment.’’ This definition has been added in conjunction with § 3.2000(b)(5)(vi) of today’s rule, to make clear that in the context of this rule, acknowledgment means a confirmation of electronic document receipt. 2. Definition of ‘‘electronic document.’’ This definition has been revised from the proposed version in several ways. First, the use of ‘‘communicate’’ has been eliminated, thereby eliminating the need for a separate definition of that term. Second, the exclusion of magnetic and optical media and facsimile submissions has been eliminated. We believe it is clearer to exclude such submissions from the scope of CROMERR under § 3.1, entitled ‘‘Who does this part apply to?’’ Today’s rule now provides this exclusion in §§ 3.1(b) and 3.1(c). Third, the definition has also been revised so that it explains what a ‘‘document’’ is in an electronic medium. Instead of saying that an ‘‘electronic document means a E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations document. * * *,’’ the final version says that ‘‘electronic document means any information in digital form. * * *,’’ where information is explained as potentially including ‘‘data, text, sounds, codes, computer programs, software or databases.’’ Fourth, this definition clarifies that in this context, ‘‘data,’’ is used in its normal sense as denoting a delimited set of data elements, each of which is a unit of meaning in a document and consists of a content or value together with an understanding of what the meaning and/or context of the content or value is. Finally, the definition stipulates that where an electronic document includes data, the understanding of what the data content or value means must either be explicitly included in the electronic document or be readily available through such sources as an applicable data element dictionary, or a form or template that specifies what each data element means when it is presented in the specific file format used for the electronic document’s submission. A consequence of this approach is that the identity of an electronic document consisting wholly of data is independent of the format in which it is presented or submitted. That is to say, rearranging or reformatting the data elements in an electronic document does not change it into a different one, at least so long as the signatory’s intention and understanding of what the data elements each mean is preserved in the process. This does not conflict with the ordinary understanding of the term ‘‘document,’’ since we speak quite often of ‘‘reformatting a document,’’ with the clear understanding that what results will be the same document in a new format. Correspondingly, under the definition of ‘‘copy of record,’’ a ‘‘true and correct’’ copy of an electronic document does not necessarily have to reflect the format in which the document was submitted, provided that the document consists wholly of data. This independence of document identity from format may not always hold where other kinds of information are included in the electronic document, e.g. text or images; in such cases a copy of record may have to include format or formatting information. 3. Definition of ‘‘electronic signature.’’ This definition has been revised by substituting ‘‘information in digital form’’ for ‘‘electronic record,’’ to avoid problems with defining ‘‘electronic record.’’ The definition has also been revised to make clear that the electronic signature for an electronic document need not always be ‘‘included’’ within that document; in some cases it may just VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 be ‘‘logically associated’’ with it. This point is explained further in section VI.E.2 of this Preamble, in discussing the copy of record requirement. 4. Definition of ‘‘electronic signature device.’’ The definition of ‘‘electronic signature device’’ has been revised to clarify that where a device is used to create an individual’s electronic signature, then the device must be unique to that individual, and he or she must be uniquely entitled to use it at the time that the signature is created. Correspondingly, the device is compromised if it is available for use by any other individual, that is, if some other individual is able to use the device to create signatures if he or she wishes. To the extent that §§ 3.10(b) and 3.2000(b)(5)(i) of the final rule prohibit the acceptance of signatures created with compromised devices, via the definition of ‘‘valid electronic signature,’’ the element of compromise rules out the sharing of electronic signature devices or delegating their use to create individuals’ electronic signatures. Additionally, the definition includes the element that an individual needs to be entitled to use the electronic signature device; that is, the individual needs to be the ‘‘owner’’ of the device. The nature of the device itself will determine the way in which an individual comes to own it. In the case of personal identification numbers or certificate-based private/public key pairs, there is normally some process of formally assigning the device to the individual, often through a trusted third party. In other cases, for example password or personal information-based signature devices, the process may have the individuals invent and assign the devices to themselves ‘‘ the basis for their ownership of the devices being determined by the circumstances or context within which they do this. 5. Definition of ‘‘transmit.’’ In the proposed rulemaking the term ‘‘submit’’ was defined as the ‘‘means to successfully and accurately convey an electronic document so that it is received by the intended recipient in a format that can be processed by the electronic document receiving system.’’ However, the term ‘‘submit’’ is used more widely in the rule in ways that are not consistent with this definition. Accordingly, in the final rule the function of successful and accurate conveyance of an electronic document is now termed ‘‘transmit.’’ 6. Definition of ‘‘valid electronic signature.’’ Beyond its role in § 3.2000(b), this definition has also been added to help clarify and simplify the signature requirements associated with electronic reporting, both directly to PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 59859 EPA, in § 3.10, and under authorized programs, in § 3.2000(a)(2). The definition specifies three main conditions for validity. The first refers to features of the signature that are intrinsic to the items of information of which it consists: The signature must consist of the kind of information that has been established as appropriate for the signing of the document in question, and the specific information content must pass the validation tests which the system uses to determine that the signature belongs uniquely to the identified signatory. The second condition refers to the status of the electronic signature device used to create the signature, and ensuring that the device was not compromised at the time it was used to create the signature. This ties validity to the element of compromise within the definition of ‘‘electronic signature device.’’ That is, at the time of signature, the device must not have been made available to someone other than the individual who is entitled to use it. The third condition refers to the signatory’s status at the time of signature as someone who is authorized to sign the document in question by virtue of his or her legal status and/or relationship to the entity on whose behalf the signature is executed. In the context of environmental reporting, this condition would make invalid electronic signatures on company compliance reports created by individuals who do not work for or in any way represent the company. Generally, in the context of environmental reporting, individuals who sign submissions to environmental agencies are explicitly authorized to do so, by their management and/or by the agency to which they report. However, in some cases the authorization may be implicit in the signatory’s legal status and relationship to the regulated entity. For example, an owner or operator of a company is generally authorized to sign notifications or letters to an environmental agency whether or not this is explicitly provided for by law or regulation. As ‘‘valid electronic signature’’ is used in §§ 3.10 and 3.2000(a)(2), the validity of an electronic signature is necessary for the signatory’s electronic submission to satisfy a federal or authorized program reporting requirement. Additionally, as the term is used in § 3.2000(b), it also refers to a performance requirement for an electronic document receiving system, namely that the system must not accept and must be able to detect submissions with signatures that are not valid. These requirements in terms of ‘‘validity’’ are E:\FR\FM\13OCR3.SGM 13OCR3 59860 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations meant to provide a form of insurance for electronic signatures to protect against the risks of repudiation. Nonetheless, a signatory may be legally bound by a signature even where not all the requirements for its validity have been met, e.g., where the signature has been executed with a compromised electronic signature device. The signatory of an electronic submission cannot avoid responsibility for its contents by pointing to a technical flaw or other defect in the signature process. V. Requirements for Direct Electronic Reporting to EPA A. What are the requirements for electronic reporting to EPA? Under the final rule, the requirements for electronic reporting to EPA remain essentially unchanged from those in the proposal. Section 3.10 provides, first, that electronic documents must be submitted to an appropriate EPA electronic document receiving system. Generally this will be EPA’s Central Data Exchange (CDX), although EPA can also designate additional systems for the receipt of electronic documents and is doing so in a separate Federal Register notice. Second, where a paper document must bear a signature under existing regulations, an electronic document that substitutes for the paper document must be signed (by the person authorized to sign under the current applicable provision) with a valid electronic signature. Only electronic submissions that meet these two requirements will be recognized as satisfying a federal environmental reporting requirement, although failure to satisfy these requirements will not preclude EPA from bringing an enforcement action based on the submission or otherwise relying on the submission. A new compliance and enforcement section has been added to the final rule to clarify certain compliance and enforcement issues related to electronic reporting. Section 3.4 makes clear that EPA can seek and obtain any appropriate federal civil or criminal penalties or other remedies for failure to comply with an EPA reporting requirement if a person submits an electronic document to EPA under this rule that fails to comply with the provisions of § 3.10. Similarly, § 3.4 makes clear that EPA can seek and obtain any appropriate federal civil or criminal penalties or other remedies for failure to comply with a state, tribe, or local government reporting requirement if a person submits an electronic document to a state, tribe, or local government under an authorized VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 program and fails to comply with the applicable provisions for electronic reporting. Section 3.4 also contains provisions originally published under § 3.10(d) and (e) of the proposal, stipulating that the electronic signature will make the person who signs the document responsible, bound, or obligated to the same extent as he or she would be signing the corresponding paper document by hand. The § 3.10 requirement that there be an electronic signature applies only where a paper document would have to bear a signature were it to be submitted, either because this is required by a statute or regulation, or because a signature is required to complete the paper form. The rule does not impose any new or additional signature requirements for documents that are submitted in electronic form. In addition, as noted in section IV.C of this Preamble, § 3.10(b) of today’s rule also allows EPA to make special provisions, in specific cases, for accepting handwritten signatures in follow-on paper submissions in lieu of the required electronic signatures. In such cases, it is critical that the special provisions ensure that the electronic document cannot be altered without detection and is reliably linked to the handwritten signature. As in the proposal, this final rule does not specify any required hardware or software. Accordingly, the rule text does not include any detail about CDX per se or about what will be required of regulated entities who wish to use it. Nonetheless, as stated in the proposal, our goals include the sharing of detail on how CDX implements direct electronic reporting to EPA. Section V.C.4 of this Preamble explains how CDX has changed since we described it in the proposal, especially in relation to the many comments we received on CDX-related issues. B. What is the status of existing electronic reporting to EPA? In a notice published concurrently with today’s rule, EPA clarifies the status of electronic reporting directly to EPA systems that exist as of the rule’s publication date. In accordance with 40 CFR 3.10, EPA is designating for the receipt of electronic submissions, all EPA electronic document receiving systems currently existing and receiving electronic reports as of the date of this notice. This designation is valid for a period of up to two years from the date of publication of this notice. During this two-year period, entities that report directly to EPA may continue to satisfy EPA reporting requirements by reporting to the same systems as they PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 did prior to CROMERR’s publication unless EPA publishes a notice that announces changes to, or migration from, that system. Any existing systems continuing to receive electronic reports at the expiration of this two-year period must receive redesignation by the Administrator under § 3.10. Notice of such redesignation will be published in the Federal Register. EPA’s goal is that all its systems for receiving electronic reports be consistent with the CROMERR standards for electronic document receiving systems, set forth in § 3.2000(b) of today’s rule. EPA generally hopes to achieve this consistency within a two-year transition period for existing EPA systems; however, EPA is not bound by the § 3.2000(b) standards of today’s rule or the two-year period. This two-year period is similar to the two-year transition period provided under § 3.1000(a)(3) for systems operated under EPA-authorized programs. In a number of cases, EPA may work toward this goal by migrating existing electronic reporting to CDX or to other, new CROMERR-consistent systems. As we change or migrate existing electronic reporting programs to achieve consistency with the CROMERR standards, we intend to provide sufficient advance notice to reporting entities so that any new requirements can be accommodated without causing significant disruption to their electronic reporting activities. C. What is EPA’s Central Data Exchange? 1. Overview of general goals. The proposal described EPA’s ‘‘Central Data Exchange’’ as a system to be developed and maintained by EPA’s Office of Environmental Information (OEI) that would serve as EPA’s gateway or ‘‘portal’’ for receiving documents electronically from our reporting community. The goal of CDX was to augment, and, where appropriate, streamline and consolidate EPA’s environmental reporting functions by offering our reporting community faster, easier, and more secure submission options through a single venue for electronic submission of environmental data. As a cornerstone of EPA’s efforts to advance electronic government, CDX would support the electronic submission needs of thousands of regulated entities submitting data to EPA for certain air, water, waste, and toxic substances programs. Ultimately, EPA planned to offer, wherever practicable, all regulated entities that report directly to EPA, an option to file their specific environmental documents E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations electronically through CDX. Regulated entities that submit reports under an authorized program would also be able to file their documents through CDX in cases where the state, tribe or local government that administered the program chose to use CDX as a gateway for electronic data submissions from its reporting community. The reporting community using CDX would be able to access web ‘‘reporting’’ forms with built-in data quality checks, and/or submit standard file formats through common, user-friendly interfaces that allowed them to electronically submit data across vastly different environmental programs. Both the reporting community and EPA would benefit by gaining access to environmental reports more quickly and with fewer errors, and by avoiding the inefficiencies of having to keystroke data from paper reports. CDX was also being developed to support a newly emerging Environmental Information Exchange Network (EIEN) that would facilitate the electronic exchange of environmental data between EPA and state, tribe, and local environmental agencies. However, in keeping with the scope of the proposed rule the description of CDX features and functions in this section apply only to electronic submissions to CDX from regulated entities; the description doesn’t apply to EIEN exchanges with CDX in which states, tribes, or local governments participate as a part of their authorized programs or as a part of administrative arrangements with EPA to share data. The Concept of Uniformity. The proposal also characterized CDX as providing an environment that would promote a uniformity of technologies and processes. By adopting CDX to support the electronic reporting needs across various EPA programs, EPA hoped to avoid the proliferation of program-specific electronic reporting approaches that could lead to duplicative investments in electronic document receiving systems and possibly conflicting requirements for submitters. The CDX Functions and Building Blocks. As described in the proposed rule, CDX was being designed with the goal of fully satisfying the criteria that the proposal specified for state, tribe, and local electronic document receiving systems; similarly, EPA would ensure that other systems the Administrator designated to receive electronic submissions satisfied the criteria as well. The proposal discussed how CDX would implement CROMERR-compliant electronic reporting by describing the primary CDX functions and the system VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 building blocks that would support these functions. The functions described in the proposal included: (1) Access management, (2) data interchange, (3) signature/certification management, (4) submitter and data authentication, (5) transaction logging, (6) copy of record provisions and acknowledgment, (7) archiving, (8) error checking, (9) translation and forwarding, and (10) outreach. The proposal then described five building blocks that would support CDX functions, which were: (1) Digital signatures based on PKI, where CDX would rely predominately on a third party vendor under the General Services Administration (GSA) Access Certificates for Electronic Services (ACES), (2) a process for registering users and managing their access to the CDX, (3) a client server-architecture, (4) EDI standards, as the primary format for exchanging environmental data, and (5) a consistent user interface for making electronic submissions. 2. Comments on the proposal. EPA received more than 100 comments on the CDX concept as described in the proposal. A number of these comments were related to one of four main subject areas, as follows. Comments on Uniformity of Approach. Several comments expressed concern about the proposed characterization of CDX as promoting ‘‘uniformity of process and technology’’. The phrase was used to highlight the benefits of CDX, which included EPA’s plans to avoid the costly proliferation of redundant systems. However, comments pointed out that this ‘‘uniformity’’ implied an inflexible and overly prescriptive set of CDX technical and security requirements, which would discourage CDX use. Such comments were similar to those discussed in section IV.B.2 of this Preamble, raising concerns about the prescriptiveness and ‘‘one size fits all’’ approach of the proposed criteria for electronic document receiving systems. EPA understands that ‘‘uniformity of process and technology’’ could imply inflexibility, and this is not generally how we intended to develop CDX. In fact, CDX is currently using a wide range of technologies and processes to address CDX’s functions that are tailored to individual EPA program submission requirements, including the technical capabilities of the reporting community for the particular program. EPA recognizes that, for example, permitting, compliance monitoring, and the conduct of studies involve fundamentally different business processes, and that the associated submission of electronic documents may have to be handled differently in PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 59861 each case. In some instances CDX may support a more interactive ‘‘workflow’’ environment for submitting data; in others, CDX may accept batch transmissions of user-formatted files. It is also true that the technical capabilities of a particular reporting community vary considerably, so CDX will offer more than one electronic submission option in many cases. CDX currently provides support for webforms, file, and record-level submissions in various formats including flat file and XML and EPA plans to continue this flexible approach. Comments on registration process. Comments from regulated entities raised concerns about the costs and time required to register individuals in each company, and EPA’s failure to address the increasingly common cases where the preparer of an environmental report and the certifying official are different individuals. Because electronic submission is being offered as an option to the reporting community, EPA recognizes the need to design CDX registration to be as user-friendly as practicable, in part by taking account of the flow of work, or ‘‘workflow’’ involved in meeting a particular environmental reporting requirement. For example, since proposal, EPA has developed approaches to register both preparers and certifying officials for at least two reporting programs. Changes to the CDX registration process are discussed in more detail in section V.C.4. Comments on digital signatures based on PKI. Comments pointed out that reliance on PKI for all cases of electronic signature may violate the GPEA directive to vary electronic signature approaches with the circumstances of their use. Several comments underlined this concern by pointing to PKI’s costs and burdens. The comments objected that registering through CDX and acquiring digital signature certificates would be overly complicated, and would require that registrants provide private or personal information. Some comment also expressed concern about the incompatibility of a PKI-based approach with workflow, given that environmental reports were frequently prepared by staff and then signed by the facility owner, with staff turnover being frequent. Another concern was the implications of CDX PKI software for company system security, for example, given the need to download CDX software through the company firewall. EPA agrees that it should generally minimize the complexity and cost of electronic signatures or this will deter potential users of CDX from submitting E:\FR\FM\13OCR3.SGM 13OCR3 59862 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations electronic documents. In implementing CDX, EPA has revised the initial plan for electronic signatures to include nonPKI electronic signatures. Section V.C.4 discusses how we are changing the ‘‘digital signature based on PKI building block.’’ Comments on EDI Standards. Comments expressed both encouragement and concern over CDX’s prospective implementation of standards-based exchange formats for data submissions. An exchange format is a predefined file structure, including data elements and higher level syntax that describes how the data extracted from a system must be arranged in a file for transmission to another system. A standards-based format adheres to certain widely-accepted industry, national, or international file structure definitions. Several comments expressed concern about the costs of configuring their systems to generate a CDX-specified standard format; others expressed concerns about the costs of potential changes to the format once it is implemented on their systems. By contrast, other comments strongly supported requiring standards-based formats—even recommending that we require such formats by rule for EPA and EPA-authorized state, tribe, and local electronic document receiving systems. CDX’s approach to standards-based formats has changed considerably since the proposal, in large part because of the emergence of Internet-based approaches, most notably Extensible Mark-up Language (XML). These changes are discussed in more detail in section V.C.4. EPA believes that the use of standard formats can be encouraged without requiring this by rule. Additional comments on CDX and EPA’s responses can be found in the rulemaking docket, in the Response to Comments document. 3. The aspects of CDX that have not changed since proposal. General Goals. EPA’s continues its efforts to establish CDX as the gateway or ‘‘portal’’ for receiving documents electronically from the Agency’s reporting community. In so doing, EPA’s goal—to augment, and where appropriate, to streamline and consolidate EPA’s environmental reporting functions through CDX— remains unchanged. The functions that comprise CDX operations continue to remain the same though the range of technologies and processes used to support these functions has considerably broadened. CDX continues to implement electronic reporting capabilities for EPA’s many environmental programs, while VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 advancing the efforts of EIEN in coordination with state, territorial, tribes, and other partners. General Approach to Electronic Reporting Implementation. In general, current instructions for client-side access of CDX suggest Internet access and a system that uses both Microsoft Windows and Microsoft Internet Explorer (IE). EPA acknowledges that the Government Paperwork Elimination Act (GPEA) directs OMB to develop procedures for agencies to follow in using and accepting electronic documents and signatures and these procedures ‘‘may not inappropriately favor one industry or technology.’’ Consistent with this GPEA directive, EPA is committed to considering ways to allow other vendors’ technologies to access CDX. Accordingly, over the six months following the publication of today’s rule, EPA intends to assess the full range of issues that affect CDX’s ability to support multiple platforms and browsers. These issues include the technical requirements for the electronic signature options, form entry options, data upload options, network interface options, current capabilities of the CDX hardware/software platform, and potential impacts of new client-side platforms on the CDX life cycle management, technical support requirements, and help desk training and support. Based on this assessment, EPA intends to determine the target universe of client-side platforms and browsers that CDX can feasibly accommodate, and will identify the actions and timeline necessary to build out CDX support for this target universe. As described in the proposal, CDX users will need to: • Register with CDX, during which time they may need to supply information used to identify themselves, their company, and the EPA documents they wish to submit electronically; • Verify and/or correct registration information; and • Access their CDX web account through a secure website, and agree to the terms and conditions of using the site, which include safeguarding their self-generated password, before using web forms or uploading files to submit electronic documents or data to EPA. These are the minimum steps for gaining access to CDX at this time. Additional steps are involved in acquiring an electronic signature device, although these steps have changed somewhat since the proposal and are discussed in section V.C.4. CDX also offers at least two general methods for reporting electronically for many programs it supports, either through file PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 submission or through a ‘‘smart web form’’. However, the types of formats and approaches for submitting data through CDX have broadened, and these too are discussed in section V.C.4. 4. The major changes that EPA has made to CDX since proposal. Over the last two years, CDX has evolved from a prototype system to a fully operational electronic document receiving system. CDX supports tens of thousands of registered users providing data to dozens of environmental reporting programs across the major EPA media offices. CDX registered users include representatives from state, tribe, and local agencies, industries, laboratories, and other federal agencies. While CDX continues to provide a secure, single point of registration, access, and exchange between reporting entities and EPA programs, the building blocks supporting the CDX functions have changed substantially. These changes reflect EPA’s experience operating CDX over the past two years, evolving trends in Internet technologies, and comments received on the proposed rule from potential CDX users. Digital signatures based on PKI. The proposal described the CDX approach to electronic signatures in terms of digital signatures and PKI. Since proposal, EPA has come to appreciate the complexity and costs of implementing PKI, and to recognize that non-PKI electronic signatures, as described in section IV.B.2 of the preamble today’s rule, may be acceptable in many cases. Thus, for electronic reports currently submitted to CDX, only in one case is PKI used for electronic signature. The other cases involve PIN-based electronic signatures or other non-PKI electronic signature approaches. As an example of the latter, this year we anticipate implementing electronic signatures for an EPA reporting requirement by having signatories use a password that is selfgenerated during CDX registration in combination with certain items of information that are unlikely to be available to anyone except the signatory. This is a ‘‘knowledge-based’’ approach, which is being used extensively by commercial software vendors supporting the United States Internal Revenue Service (IRS) for electronic tax filings or ‘‘e-filings’, and is being adopted by other agencies. EPA expects that these non-PKI-based approaches to signature will continue to dominate CDX implementations of electronic reporting. We currently intend to use PKI where such needs as security or assuring very robust non-repudiation of signature make this the most appropriate approach. E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations In addition, EPA’s approach to PKI itself—described in the proposal as relying on ACES—is also undergoing change. Changes with respect to the role and method of identity proofing for those persons who apply for PKI certificates is being further evaluated. As proposed, the identity proofing was to be conducted by the third party ACES vendor; currently, CDX identity proofing is conducted for the most part by EPA’s own contractor staff, who are able to issue digital certificates to members of the reporting community with less cost and in less time than the ACES vendor. EPA has also begun to explore alternatives to ACES for PKI certificates, partly because ACESprovided certificates do not support message encryption, which EPA may need for certain environmental reporting applications. In addition, EPA is considering its use of ACES in the light of recent federal advances in establishing interoperability across federal PKI domains, which may allow EPA to eventually leverage PKI’s of other federal agencies or institute an inhouse PKI. CDX Registration. Since the proposed rule, CDX has broadened it approach to registration to better accommodate the workflow involved in specific environmental reporting programs. While CDX still requires registration, there are three distinct areas where the registration process has changed since proposal. First, the proposal described CDX registration as the first step toward the issuance of a PKI-based digital signature, and it was implied that all persons opting to use CDX would need a digital signature. As noted above, this is no longer the case. Second, in the proposal, CDX registration began when a person received an EPA invitation letter that contained a temporary code and instructions on how to access the CDX registration website. CDX has adopted additional approaches to initiating registration for certain EPA programs, for example, embedding a link to CDX registration in reporting software that is distributed to the program’s reporting community, or providing a public website where prospective CDX users can submit initial registration data EPA. While CDX continues to register persons by invitation letter for reporting under certain environmental programs, registration options will continue to broaden as the number of environmental programs supported by CDX expands. Finally, in the proposal, CDX registration was completed when the registrant printed out a ‘‘signature holder’’ agreement from the CDX registration website, signed this VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 agreement and mailed it to EPA’s CDX. CDX will continue this approach for reports where electronic signatures are required, although EPA is exploring the use of an entirely paperless signature agreement process for at least some of these cases. CDX registration to submit reports that do not include electronic signatures will not involve a ‘‘signature holder’’ agreement. EDI Standards. The proposal described EPA’s plans to use EDI as the basis of standards-based formats for exchanging data between reporting entities and CDX. Since proposal, CDX development has reflected a significant evolution in formatting standards to accommodate the Internet—away from EDI and toward the use of XML. XML consists of a set of predefined tags and message structures that, like EDI, allows machine-to-machine exchange of data in a mutually agreed upon format, enabling exchange of data across different systems. However, unlike EDI, XML is tailored to Internet-based communications and security protocols. Additionally, an XML formatted file in combination with a style sheet can be displayed in a Web browser. Such features would allow CDX to use the same standard format both for exchanging data files and for designing web forms. The structure of XML also addresses some of the challenges in archiving data received, because the XML tags that accompany the data in an XML file can be used to interpret the data’s context without the aid of additional software. This could facilitate the recovery of data from archived files, and reduces the need to maintain the versions of the software originally used to generate the files. CDX and specific EPA programs may address the question of which (if any) standards-based format to use for a particular report on a case-by-case basis, and EPA intends to develop appropriate technical instructions for CDX submitters as program-specific reporting formats are adopted. These instructions normally will be distributed to the affected reporting communities via links on the CDX website and/or through program and CDX outreach efforts. EPA is working with authorized state, tribe, and local programs to develop standards-based reporting formats to meet their shared needs. In many instances, CDX contemplates a long transition period between file formats currently used to exchange data with regulated entities and any new, standards-based formats. During this transition, CDX may offer submitters several electronic submission options; these may include an existing data format familiar to submitters, one or PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 59863 more new standards-based formats, and some other approach such as a smartform hosted on a secure website. Client-side architecture and transaction environment. The proposal described a downloaded ‘‘client’’ that would generally supplement the browser to support the signature and security for CDX; such ‘‘client side’’ software is no longer needed for all cases of electronic reporting to CDX. However, in some cases CDX now uses various technologies to transparently insert routines into browsers during a user session to support special functions—for example to support the creation of a PKI-based electronic signature with an ACES business class certificate. D. How will EPA provide notice of changes to CDX? As noted in the proposal, the fullyimplemented CDX will be subject to change over time, to take advantage of opportunities offered by evolving technologies, as well as to improve the system. EPA’s decision to avoid codifying technology-specific or detailed procedural provisions for electronic reporting is meant, in part, to accommodate changes to CDX without requiring that we amend our regulations. Nonetheless, EPA recognizes that such changes can affect regulated entities that participate in electronic reporting; therefore, the final rule provides for advance notice when EPA intends to make changes to CDX. As discussed in the proposal, we distinguish four categories of changes: • ‘‘Significant’’ changes that are likely to affect the kinds of hardware, software or services involved in transmitting electronic reports (§ 3.20(a)(1)); • ‘‘Other’’ changes that will affect the process or the timing of transmitting electronic reports to CDX, but without affecting the kinds of hardware, software or services involved in making the transmissions (§ 3.20(a)(2)); • ‘‘Emergency’’ changes necessary to protect the security or operational integrity of CDX (§ 3.20(b)). • ‘‘De minimis or transparent’’ changes that will have minimal or no impact on the process or the timing of transmitting electronic reports to CDX. ‘‘Significant’’ changes include changes to the types of file formats CDX will accept—for example a change from extended markup language (XML) formats to some non-XML format—as well as changes to the technologies that may be used for file transfer to CDX or for creating electronic signatures on transmitted reports. ‘‘Significant’’ changes will not generally include optional upgrades to software, the E:\FR\FM\13OCR3.SGM 13OCR3 59864 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations provision of additional formatting (or other technical) options, or changes to CDX that simply reflect changes to the underlying regulatory reporting requirements. ‘‘Other’’ changes include an increase in—or re-ordering of—the steps involved in transmitting electronic reports, changes to the registration or credential (e.g., PIN, password, PKI certificate) provisioning process that could affect users ability to access CDX, and changes to reporting formats that involve the reconfiguration of software. ‘‘Emergency’’ changes include such things as an upgrade to the system firewall protection. Finally, ‘‘de minimis or transparent’’ changes include the myriad small or ‘‘back end’’ fixes and improvements that EPA makes to CDX each week that have minimal or no impact on the transmission process. Such changes may range from fixing a typo on a data entry screen to reengineering the system’s archiving routines. To address ‘‘significant’’ changes, § 3.20(a)(1) of the final rule provides that EPA will give public notice in the Federal Register of such changes and will seek comment. EPA proposed to provide this notice at least a year in advance of contemplated implementation, but based on experience developing and operating a CDX prototype, EPA no longer believes that a single time-frame is appropriate in all situations. For example, ‘‘significant’’ changes that could affect the transmission of an annual report may respond to needs or events that arise less than a year in advance of the report’s due date. On the other hand, some ‘‘significant’’ changes may require more than a year for reporting entities to accommodate. Accordingly, the final rule provides that these Federal Register notices will propose and seek public comment on an implementation schedule for a ‘‘significant’’ change, along with describing and inviting comment on the change itself. To address ‘‘other’’ changes to CDX, § 3.20(a)(2) of the final rule provides that EPA will give notice at least 60 days in advance of implementation. The notice in this case will typically be to CDX users, and the method of notice may be electronic, perhaps using the facilities of CDX itself. For ‘‘emergency’’ and ‘‘de minimis or transparent’’ changes, EPA will make decisions on whether, when, and how to provide public notice on a case-by-case basis. VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 VI. Requirements for Electronic Reporting Under EPA-Authorized Programs A. What is the general regulatory approach? As explained in Part V of this preamble, the requirements in § 3.10 of today’s rule apply to reporting entities that submit electronic reports directly to EPA. By contrast, today’s rule contains no requirements that apply directly to entities who submit electronic reports to state, tribe, or local government agencies. However, Subpart D of today’s rule does contain requirements that apply to state, tribe, or local government agencies that operate EPA-authorized programs. Subpart D of today’s rule requires that such agencies that receive, or wish to begin receiving, electronic reports under an authorized program must apply to EPA for a revision or modification of that program and get EPA approval. Subpart D provides standards for such approvals based on consideration of the electronic document receiving system that the state, tribe, or local government will use to implement the electronic reporting. Additionally, Subpart D provides for special procedures for program revisions and modifications that provide for electronic reporting, to be used at the option of the state, tribe, or local government in place of procedures available under existing programspecific authorization regulations. Generally speaking, EPA believes that even absent today’s rule, an authorized program’s electronic reporting implementation would still need EPA’s approval under a program revision or modification. At least where electronic reports may play a role in enforcement proceedings, the authorized program’s electronic reporting implementation has the potential to affect program enforceability, and as such, revises or modifies the program. Today’s rule makes this explicit in § 3.1000. In addition, the final rule includes program-specific amendments to various provisions in 40 CFR to cross reference those rules to the new Part 3. With this approach, EPA hopes to support and promote state, tribe, and local government efforts to make electronic reporting available under their authorized programs, both by clarifying the requirement that EPA approve these electronic reporting initiatives, and by providing a single, uniform set of standards and a speciallydesigned process to facilitate electronic reporting approval for otherwise authorized programs. PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 B. When must authorized state, tribe, or local government programs revise or modify their programs to allow electronic reporting? 1. The general requirement. As discussed earlier, this rule does not require states, tribes, or local governments to allow or require electronic reporting. Where they choose to do so, § 3.1000 generally provides that they must revise or modify such programs to ensure that their electronic reporting implementation will meet the requirements of section 3.2000. Additionally, once these authorized programs begin operating the electronic reporting systems under EPA-approved revisions or modifications, they must keep EPA informed of changes to laws, policies or the electronic reporting systems that could affect the program’s compliance with § 3.2000. Where the Administrator determines that such changes require EPA review and approval, EPA may ask the authorized program to submit an application for revision or modification to address the changes. Alternatively, the authorized program can apply for a revision or modification on its own initiative. For any of these program revisions or modifications, states, tribes, or local governments may use either the application procedures provided under § 3.1000(b)–(e) or the program-specific procedures provided in other parts of Title 40 or the applicable statute. Whichever procedure is used, the state, tribe, or local government must submit an application that complies with the requirements of § 3.1000(b)(1), discussed in section VI.C.1. Section 3.1000(b)(1) identifies the elements of an electronic reporting program that EPA would need to consider in order to approve a state’s, tribe’s, or local government’s approach to receiving electronic documents, in lieu of paper, to satisfy requirements under their EPAauthorized programs. 2. Deferred compliance for existing systems. For authorized programs that have ‘‘existing’’ electronic document receiving systems as of the date this final rule is published, EPA is deferring the deadline for these programs to submit their applications for program revisions or modifications with respect to such systems. The deferral is generally two years from the date of this rule’s publication. This approach is consistent with similar provisions under other regulations governing program authorization where new requirements are imposed. Additionally, EPA conducted extensive discussions with entities operating authorized programs about how much time they generally E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations would need to bring their systems into compliance with today’s rule, given their funding cycles, program review schedules under ‘‘performance partnership’’ agreements, the timeframes for making any necessary system upgrades and completing an application for program revision or modification, and any necessary legislative or regulatory changes. Based upon these discussions, we believe that this two-year period is generally sufficient to allow these programs to make the transition to CROMERRcompliant systems without having to discontinue their electronic reporting operations. Today’s rule also allows authorized programs to request extensions to the two-year deadline where the timeframe for regulatory or legislative changes may be somewhat longer. EPA’s purpose in deferring the application deadline for program revisions or modifications with respect to existing electronic reporting is to avoid disrupting authorized programs’ electronic reporting initiatives that are already underway. With this goal in mind, EPA has defined ‘‘existing electronic document receiving system’’ broadly, to include not only those that are actually operational at the time the final rule is published, but also those that are substantially developed. We recognize that it would be disruptive to require that authorized programs shut down their operational systems during the time it would take to prepare, submit and have their applications for revision or modification approved. However, there is often a very fine line between an operational system and a system under development; for example, where the developmental work is to scale a working prototype up to production. In addition, at least the later stages of development are likely to be restrained substantially or even halted if a system must await EPA approval to operate, and this may affect system costs, availability of contractor staff and their ability to complete the system in a timely manner. Avoiding such disruptions to substantially developed systems is part of the goal of the deferred compliance provisions. To define what counts as a ‘‘substantially developed’’ system for this purpose, the definition of ‘‘existing electronic document receiving system’’ uses evidence that system services or specifications are already established by existing contracts or other binding agreements. Where an agency has already made legally binding agreements to procure a significant proportion of the services and/or VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 components that will constitute the system then such a system would be considered ‘‘existing’’ under this rule. While many or most authorized programs with existing systems may need this two-year compliance deferral, some may have no difficulty submitting a completed application well before the end of two years. We strongly encourage such early submissions when feasible. This will make better use of EPA’s review resources and will provide earlier certainty of compliance with this rule for existing state, tribe, and local government electronic reporting programs that are subject to this rule. In addition, EPA believes that, whether through informal consultation or formal application, identifying and addressing any existing system issues as early as possible is the best way to avoid disruption to electronic reporting initiatives currently underway. C. What alternative procedures does EPA provide for revising or modifying authorized state, tribe, or local government programs for electronic reporting? Under § 3.1000, this rule provides procedures which a state, tribe, or local government, at its option, can use to seek approval for revisions or modifications with respect to electronic reporting under its existing authorized programs. These optional procedures are available both for revisions or modifications that seek initial EPA approval for electronic reporting programs, and also for revisions or modifications to accommodate substantial changes to electronic reporting programs that already have EPA approval. Although there is always the alternative of using the program-specific procedures provided in other parts of 40 CFR, EPA believes that, normally, a state, tribe, or local government would find the procedures provided in this rule to be shorter, simpler, and easier. The § 3.1000 procedures allow submission of a single, relatively simple application to request revisions or modifications that address electronic reporting across any number of authorized programs. Additionally, the procedures provide for a single, straightforward EPA review process, with deadlines for EPA action written into the rule. EPA believes that these procedures will be especially useful where the state, tribe, or local government is planning to implement all of its program-specific electronic reporting with a single system. Rather than requiring approval program-byprogram, § 3.1000 allows the system to be addressed in a single application PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 59865 package that can be reviewed in its entirety and responded to within a relatively short and predictable timeframe. 1. The application. To request modifications or revisions under this rule, § 3.1000(b)(1) requires a state, tribe, or local government to submit an application that generally contains three elements. The first is a certification that state, tribe, or local government laws and/or regulations provide sufficient legal authority to implement electronic reporting in conformance with § 3.2000 and to enforce the affected authorized programs using electronic documents collected under those programs; the application must also include copies of the relevant laws and/or regulations. This certification of legal authority is not meant to address actual conformance with § 3.2000(b); that is, the certification is not meant to reflect a judgment about the capabilities of an agency’s electronic document receiving system. However, the certification would address § 3.2000(c), and must be signed by the governmental official who is legally competent to certify with respect to legal authority on behalf of his or her government. In the case of a state, this official must be the Attorney General or his or her designee. In the case of tribes or local governments, this official must be the chief executive or administrative official or officer or his or her designee. EPA realizes that obtaining an Attorney General’s certification for state applications may involve considerable administrative burden; however, as a legal matter, EPA believes that Attorneys General or their designees are the only officials capable of certifying with respect to their states’ legal authority. Where there are substantial administrative obstacles to involving the Attorney General in such certifications, EPA urges the state Attorney General to provide for a legally-competent designee who is available to participate in the submission of the state’s application. The second element of the application, and the most substantive, is a listing and description of the electronic document receiving systems that do or will receive the electronic submissions addressed by the requested program revisions or modifications. The application should specify the electronic submissions each system will be used to receive, and which (if any) of these submissions involve electronic signatures. In describing each system, the application should explain how the system will satisfy the applicable requirements of § 3.2000. Many of these requirements apply only to systems that receive submissions with electronic E:\FR\FM\13OCR3.SGM 13OCR3 59866 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations signatures; accordingly, the descriptions for systems that receive no electronically signed submissions will be relatively short and simple. For each of the § 3.2000 requirements that do apply, the description should explain the functions the system will perform to satisfy the requirement, and the technologies that will be used to achieve this functionality. EPA does not expect such explanations to include detailed technical specifications of the systems, but rather to provide conceptual descriptions of the technical approach and functionality. In implementing this rule, EPA will provide applicants with more detailed recommendations for preparing these system descriptions, including examples and an application checklist. The third element of the application is simply a schedule of upgrades to each system addressed by the application—to the extent that such upgrades can be anticipated—together with a brief discussion of how the upgrades will assure continued compliance with § 3.2000. This third element should be thought of as an appendix to the second, recognizing that the functionality with which each electronic document receiving system addresses the § 3.2000 requirements normally exists within the dynamic environment of the system life cycle. 2. Review for completeness. Once EPA receives an application submitted under the procedures in this rule, EPA will, within 75 calendar days, send a letter that either notifies the applicant that its application is complete or identifies deficiencies that render the application incomplete. An applicant that receives a notice of deficiencies may amend the application and resubmit it. From the date EPA receives the amended application, EPA will, within 30 calendar days, respond with a letter that either notifies the applicant that the amended application is complete or else identifies remaining deficiencies. If an amended application is not submitted within a reasonable time period to remedy identified deficiencies, EPA has the authority to review and act on the incomplete application, as explained in section VI.C.3. 3. EPA actions on applications. EPA will act on an application by either approving or denying the requested program revisions or modifications. In the case of a consolidated application for revision or modification of more than one program, EPA need not take the same action on each revision or modification; some may be approved while others are denied. EPA will have 180 calendar days from the time it sends a notice of completeness to act on an VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 application in its entirety. Except in certain cases of requested revisions or modifications associated with existing systems (see section VI.C.4) or with an authorized public water system program under 40 CFR part 142 (see section VI.C.5), if EPA does not act on a program revision or modification by the end of the 180-day review period, then that revision and/or modification is considered automatically approved by EPA. The rule allows this review period to be extended, at the request of the state, tribe, or local government submitting the application. This may accommodate situations where EPA and the applicant are working through issues that may take more than the 180day review period to resolve, and they mutually find it in their best interest to continue discussion before EPA makes its decision. Where EPA approves a program revision or modification (by either affirmative or automatic approval), the approval becomes effective when EPA publishes a notice of the approval in the Federal Register. Where EPA denies a requested revision or modification, EPA will explain the reasons for the action and advise the applicant of the steps that can be taken to remedy the application’s defects and will generally try to work with the applicant to address the issues that have posed an obstacle to approval. Additionally, in some cases, denial of approval under the § 3.1000 process may result from EPA’s determination that the application raises certain issues that are highly program-specific and that these cannot be adequately addressed through the procedures provided in this rule. For example, there may be issues that require a discussion of program features that the § 3.1000(b)(1) application would not cover. In such cases, EPA will identify the issues that exceed the scope of the § 3.1000 process and will advise the applicant to request the revision or modification under the applicable program-specific procedures provided in other parts of Title 40. 4. Revisions or modifications associated with existing systems. Some applications will request modification or revision to an authorized program with an ‘‘existing electronic document receiving system’’. As noted in section VI.B.2, the deadline for submitting such applications is two years after the publication of today’s rule. Where such applications are submitted and are determined to be complete before the two-year deadline, EPA will have a 180day review-period for any program modification or revision being requested, as explained in section VI.B.3. However, where EPA sends PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 notification that an application is complete after the two-year deadline has passed, for example, because the application was submitted relatively late in the two-year period, EPA will have 360 days to act on any requested modification or revision addressed by the application. As with the cases where EPA has 180 days to act, this 360-day review period can be extended at the request of the state, tribe, or local government submitting the application. The rule provides for this extended review period to deal with the possibility that EPA will receive a large number of applications associated with existing systems just before the two-year deadline expires. If the number of such applications is sufficiently large, EPA may not be able to act on all of them within a 180-day review period. States, tribes, or local governments that wish to avoid the extended review may do so by submitting their applications addressing existing systems early enough in the two-year period to ensure that EPA can determine completeness before the deadline. As noted in section VI.B.2, EPA strongly encourages such early submissions wherever they are feasible. 5. Public hearings for Part 142 revisions or modifications. Where a complete application requests a revision or modification of an authorized public water system program under 40 CFR part 142, EPA will make a preliminary determination on the request—either an approval or a denial—by the end of the 180-day review period (or the 360-day extended review period discussed in section VI.C.4). EPA will then publish a notice of the preliminary determination in the Federal Register. The notice will state the reasons for the preliminary determination, and will inform interested members of the public that they may request a public hearing on the preliminary determination. Such hearing requests must be submitted within 30 days of the notice’s Federal Register publication. If no requests are submitted, and the Administrator does not hold a hearing on his or her own motion, then the preliminary determination will be effective 30 days after the initial Federal Register publication. If a request for hearing is granted, or the Administrator determines that a hearing is warranted, EPA will publish an additional Federal Register notice announcing—at least 15 days in advance of any such hearing—the date and time of any hearing, contact information, and the purpose of the hearing. At the hearing, a hearing officer will receive oral and written testimony, and will forward a record of the hearing to the EPA Administrator. After E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations reviewing the record of the hearing, EPA will by order either affirm or rescind the preliminary determination, and will publish notice of this decision in the Federal Register. If the order is to approve the revision or modification, the approval will be effective upon publication of the order in the Federal Register. 6. Re-submissions and amendments. States, tribes, or local governments whose § 3.1000 applications for revisions or modifications have been denied in whole or in part may reapply for reconsideration, using either the § 3.1000 procedures again, or, at their option, the applicable program-specific procedures. A state, tribe, or local government may also, on occasion, choose to amend a § 3.1000 application after the Administrator has determined the application to be complete. In such cases, the application will be considered to have been withdrawn and resubmitted as a new package, and a new 75-day completeness determination process will begin. An applicant may choose to withdraw and resubmit the package in this manner, for example, if it becomes clear relatively early into the 180-day review period that the application cannot be approved in its current form. For such re-submissions, EPA will work diligently to expedite the completeness determination. D. What general requirements must state, tribe, and local government electronic reporting programs satisfy? States, tribes, and local governments that accept electronic reports in lieu of paper under their authorized programs must satisfy the requirements of § 3.2000(b) and (c). Section 3.2000(b) sets forth the standards that acceptable electronic document receiving systems must satisfy, and these are explained in detail in section VI.E. In parallel with § 3.4 on federal compliance and enforcement, § 3.2000(c) requires that the state, tribe, or local government be able to seek and obtain any appropriate civil, criminal or other remedies under state, tribe, or local law for failure to comply with a reporting requirement if a person submits an electronic document that fails to comply with the applicable provisions for electronic reporting. Similarly, § 3.2000(c) contains provisions to ensure that an electronic signature provided to a state, tribe, or local government will make the person who signs the document responsible, bound, and/or obligated to the same extent as he or she would be signing the corresponding paper document. Additionally, under § 3.2000(a)(2), the authorized program must require that VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 any electronic document it accepts bear a valid electronic signature wherever the corresponding paper document would have to be signed under existing regulations or guidance, with the signatory being the same person who is authorized and/or required to sign under the current applicable provision. As in the case of direct reporting to EPA (see section V.A), the requirement for an electronic signature will apply only where the document would have to bear a signature were it to be submitted on paper, either because this is required by statute or regulation, or because a signature is required to complete the paper form. This rule does not require that authorized programs impose any new or additional signature requirements for electronic documents that are submitted in lieu of paper and were not previously required to be signed when submitted in paper form. As with direct reporting to EPA, § 3.2000(a)(2) also allows an authorized program to make special provisions for the required signatures to be executed on follow-on paper submissions. As noted in section IV.C, such provisions must ensure that the paper submission containing the signatures is adequately cross-referenced with the electronic document being signed, and must be described as a part of the § 3.1000(b)(1) application. Systems that receive electronic documents with such followon paper signature submissions are subject to all applicable § 3.2000(b) requirements, including the requirement that the electronic document cannot be altered without detection after the signature has been executed. E. What standards must state, tribe, and local government electronic document receiving systems satisfy? Section 3.2000(b) specifies the standards that electronic document receiving systems must satisfy if they are to be approved for use by states, tribes, or local governments to receive electronic documents in lieu of paper under an EPA-authorized program. EPA’s purpose in specifying such standards remains the same as it was when EPA specified the proposed § 3.2000 criteria in proposed CROMERR. As discussed in section IV.B.1, that purpose was to ensure that electronically submitted documents have the same ‘‘legal dependability’’ as their paper counterparts, so that any electronic document that may be used as evidence to prosecute an environmental crime or to enforce against a civil violation has no less evidentiary value than its paper equivalent. EPA has been motivated to provide for the legal dependability of PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 59867 electronic documents submitted under authorized programs by considering, among other things: • The roles that many electronically submitted documents would likely play in environmental program management, including compliance monitoring and enforcement; • EPA’s statutory obligation to ensure that authorized or delegated programs maintain the enforceability of environmental law and regulations; and • The consequent need to ensure that enforceability is not compromised as authorized programs make the transition from paper to electronic submission of compliance or enforcement-related documents. The § 3.2000(b) standards for electronic document receiving systems in today’s rule provide an expanded version of what had been the proposed § 3.2000(b) ‘‘Validity of Data’’ criterion. Like proposed § 3.2000(b), final § 3.2000(b) requires that electronic document receiving systems reliably enable EPA, states, tribes, and local governments to prove, in civil and criminal enforcement proceedings, that the electronic documents they receive and maintain are what they purport to be, that any changes to their content are documented, and that any associated signatures were actually executed by the designated signatories intending to certify that content. Systems must be able to satisfy the § 3.2000(b) requirements for any electronic documents they receive that are submitted in lieu of paper to satisfy an authorized program requirement. The following discussion highlights some of the § 3.2000(b) requirements for electronic document receiving systems. The first five of these requirements (timeliness of data generation, copy of record, integrity of the electronic document, submission knowingly, and opportunity to review and repudiate copy of record) apply to all electronic document receiving systems. The other highlighted requirements (validity of the electronic signature, binding the signature to the document, opportunity to review, understanding the act of signing, the electronic signature or subscriber agreement, acknowledgment of receipt, and determining the identity of an individual) apply only to systems that receive electronically signed documents. 1. Timeliness of data generation. Section 3.2000(b) reflects the role that electronic document receiving systems play in supporting a wide range of compliance and enforcement-related activities, including compliance research and analysis, civil actions, and E:\FR\FM\13OCR3.SGM 13OCR3 59868 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations litigation, and the fact that the success of such activities may be affected by the relative ease or difficulty of accessing the data related to electronic submissions. Accordingly, electronic document receiving systems must provide timely access to such data, especially to data relevant to the questions of what was submitted, by whom, and, where signatures are involved, who the signatories were and to what they certified. Much of this data may be assembled in the copy of record, together with any data needed to establish that the copy is a ‘‘true and correct copy of an electronic document received,’’ as specified by the § 3.3 copy of record definition. To help the litigator develop evidence and present it in the courtroom, it is advisable that the copy of record be maintained and made accessible in a form and format that requires the minimum possible ‘‘assembly’’ of its elements, so that its connection with what was received and what was certified to by any signatories is easy to understand and to demonstrate to others. 2. Copy of record. Under § 3.2000(b), an acceptable electronic document receiving system must retain and be able to make available a copy of record for each electronic document it receives that is submitted in lieu of paper to satisfy requirements under an authorized program. For such submissions, the copy of record is intended to serve as the electronic surrogate for what we refer to as the ‘‘original’’ of the document received where we are doing business on paper. The copy of record is meant to provide an authoritative answer to the question of what was actually submitted and, as applicable, what was signed and certified to in the particular case. As defined in § 3.3, a copy of record must satisfy at least four requirements. First, it must be a true and correct copy of the electronic document that was received. In the case of documents consisting of data, this means that the copy of record must contain exactly the set of data elements that constituted the electronic document that was submitted. In the case of a document consisting of other forms of information, e.g., text or images, being a ‘‘true and correct copy,’’ may mean including file and or visual format information along with the items of information themselves, to the extent the meaning of these items is dependent on format. (See the discussion of the definition of ‘‘electronic document,’’ in section IV.D.1.) For the copy of record to fulfill its intended role, it is not enough that it be a true and correct copy; it must also be capable of being shown to be a VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 true and correct copy; otherwise, it cannot meet other related system requirements, such as establishing document integrity. (See section VI.E.3, below.) The copy of record is shown to be true and correct in part by virtue of its not being repudiated by the submitters and/or signatories where it is made available for their review and repudiation. (See section VI.E.5., below.) In addition, the system must provide sufficient evidence to show how the copy of record was derived from and accurately reflects the electronic document as it was received by the system; such evidence is also necessary to establish document integrity. To provide for such evidence, the system may need to establish a chain of custody for the copy of record, particularly if there are a number of processing steps that separate the copy of record from the file as it enters the system. On the other hand, where the copy of record captures and preserves the file containing the electronic document exactly in the form and format in which it is received, then a chain of custody may not be necessary. Considerations of ‘‘timeliness’’ favor maintaining copies of record in a way that would not require a chain of custody. (See section VI.E.1., above.) Second, the copy of record must include all the electronic signatures that have been executed to sign the document or components of the document. The method of inclusion may vary, depending on the nature of the signature. With a digital signature, created by encrypting a hash of the document being signed with the private key in a private/public key-pair, the signature is simply a number that can and should be contained as a copy of record element. There is no risk of signature theft in this case. Each digital signature is bound to the specific document it signs, and the private key, which is actually used for signing, is inaccessible to a would-be intruder. With other forms of signature such as personal identification numbers (PINs) or passwords, items of personal information, or biometric images or values, including the signature as a copy of record element may raise signature theft issues. At least in theory, such signatures could be detached or copied from a copy of record and re-used spuriously without detection. To address this risk, the signature, especially in the case of a PIN or password, may be encrypted for storage, perhaps together with a hash of the document signed, to bind the signature to the document content. Another approach may be to validate the signatory’s identity, e.g. by comparing a PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 signatory-generated password with an encrypted version maintained securely at the electronic document receiving system. In such cases, the signatorygenerated password—which might be regarded as the signature—never actually appears on the electronic document, so the signature that is ‘‘included’’ in the copy of record may be an encrypted form of the signature, or possibly nothing exactly corresponding to a signature at all, but rather pointers or references to the processes or encrypted data that provide the actual link to the signatory. There are analogous strategies for biometric signatures. For example, the validity of a biometric (e.g., a finger print, a retinal scan, etc.) may be established by using certain statistical algorithms to evaluate data provided by the biometric. In such cases, the copy of record might document the process of validating the signature, but without including the biometric data that was used to show that the signature was valid. On any of these approaches, the copy of record may satisfy the requirement that the copy ‘‘include’’ the signatures, provided that what the copy does contain serves to establish whether the electronic document in question was signed and by whom. Third, the copy of record must include the date and time of receipt to help establish its relation to submission deadlines, to the circumstances of its submission, and to other possibly associated documents that may have been submitted or alleged to have been submitted. This is not generally problematic, except in cases of continuous streams of data conveyed to the system. For such continuous data, reasonable alternatives may be substituted that serve the same purposes, for example, associating stages of the data flow with dates and times, say, at hourly intervals. Similarly, the copy of record may include other additional information to the extent that this is needed to establish the meaning of the content and the circumstances of receipt. Such additional information might include data field labels, signatory information such as references to PKI certificates, and transmission source information. Fourth, the copy of record must be viewable in a human-readable format that clearly indicates what the submitter and, where applicable, the signatory intended that each of the data elements or other information items in the document means. This supports the copy of record’s role as a surrogate ‘‘original’’ of the paper document, and serves to establish the content of the document as it was signed and/or E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations submitted. The copy of record may satisfy this requirement in many different ways. It might actually include explicit labels or descriptions for each data element or information item, or preserve a visual format in which the data were submitted. Alternatively, it may incorporate a conventional ordering of the items or elements, where the information that associates such ordered data with labels, descriptions, or other means of visual display is maintained externally and can be invoked as needed—for example, to make the data elements appear within fields in the image of a filled-out form. Where the electronic document is created off-line by the submitter and conveyed as a whole to the receiving system, it is preferable for the copy of record to reflect the mechanism or format for indicating meaning supplied in the submission. For example, if the submission is in some standard electronic data interchange format, then the copy of record might usefully preserve that format. Taking this approach will help to resolve potential chain of custody issues if questions arise about whether the copy of record is true and correct. However, in cases where the electronic document is created on-line, for example, through the use of a web-form, the format for the copy of record will of necessity be an artifact of the electronic document receiving system itself. This is not problematic, as long as the system provides a way to ensure that the meaning of each data element as supplied by the submitter remains unambiguous. Some commenters objected to copy of record requirements because of the potential expense of redesigning systems that are not currently capable of creating and storing electronic copies of records. EPA notes, however, that systems satisfying copy of record requirements need not preserve the electronic documents received in separate or special storage apart from the files that maintain the data or information content of the documents. For example, data loaded from submitted electronic documents to a database may satisfy copy of record requirements where the stored content includes the signatures, the date/time of receipt, and an adequate chain of custody. This may be the most practical copy of record approach for receiving continuous data streams. Such an approach does not preclude satisfying the requirement that the copy of record be viewable in a human-readable format. The requirement does not mean that the data must be stored in a human- VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 readable format, so long as there is a well-documented way to display the stored data in such a format. In addition, nothing in the ‘‘copy of record’’ definition requires such copies to be electronic. Particularly where the signature involves some easily represented numerical value, the copy of record may be created and maintained in an imaging medium or on paper, provided that such copies can be shown to have been created by the electronic document receiving system to be true and correct copies of the electronic documents received. Whether such alternatives are appropriate as interim or even long-term solutions will depend on individual circumstances. It may be difficult to provide a copy of record for review and possible repudiation if the copy is not available as an electronic document that can be viewed on-line or downloaded through the network. 3. Integrity of the electronic document. Under § 3.2000(b)(1)—(2), an acceptable electronic document receiving system must be able to establish that a given electronic document was not altered without detection in transmission or at any time after receipt, and any such alterations must be fully documented. For purposes of § 3.2000(b)(1)—(2), EPA excludes alterations that have no effect on the document’s information content. Examples of excluded alterations include the separation of a transmitted file into packets and their error-free recombination, the error-free processes of file compression and extraction, as well as certain disk maintenance functions that may, for example, involve physically repositioning file components on the storage medium. To satisfy § 3.2000(b)(1)—(2) requirements with respect to alterations that do affect information content, a system may rely on a number of different but complementary capabilities, including general provisions for system security, access control, and secure transmission. Additionally, the system’s copy of record provisions help make the case that the electronic document is unaltered, or has been altered only as documented (for example, through a chain of custody), a case which is strengthened where submitters and/or signatories have had the opportunity to review the copy and have not contacted the system to repudiate the copy. Finally there are specific technical approaches to ensuring integrity, based, for example, on calculating hash values associated with the document content. 4. Submission knowingly. Under § 3.2000(b)(3), an acceptable electronic document receiving system must PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 59869 provide evidence that the submitter had some reliable way of knowing and/or confirming that the submission took place. This requirement is necessary to help establish submitter responsibility for the electronic document and to rule out spurious submissions, whether by accident or through the actions of an unauthorized submitter or ‘‘hacker.’’ EPA believes that to satisfy this requirement, the system must have some follow-on communication with the submitter related to the submission. This could be a communication initiated by the submitter in cases where it is realistic to rely on submitters to regularly check the system for evidence of documents submitted; where such submitter interactions are relied upon, they must be documented. Alternatively, the system must send some form of acknowledgment of submission as a response to the submitter named, and must document such acknowledgments, recording at least their date, time, content and the addresses to which they were sent. For cases where the electronic document bears an electronic signature, this acknowledgment is explicitly provided for under § 3.2000(b)(5)(vi). (See section VI.E.11.) 5. Opportunity to review and repudiate copy of record. Under § 3.2000(b)(4), the copy of record must be available for review and timely repudiation by the individuals to whom the document is attributed, as its submitters and/or signatories. The fact that the copy was available for this review and was not repudiated provides strong support for its being a ‘‘true and correct copy of an electronic document received,’’ as specified by the § 3.3 copy of record definition. Program managers normally would set reasonable end dates for this process, especially where there is concern that the copy is not ‘‘officially’’ a copy of record until the process is complete. Satisfying this ‘‘opportunity to review’’ provision involves at least two requirements. The first is that the identified submitters and/or signatories must have some way of knowing that their submission was received, and that a copy of record is available for review. This requires some follow-on communication with the submitters and signatories related to the submission— initiated either by the submitters/ signatories or by the system, as discussed in section VI.E.4. Approaches should be avoided that allow the initial submission and provision of copy of record to occur as a part of the same online session, because in cases of spurious submission the identified submitters/signatures may never learn E:\FR\FM\13OCR3.SGM 13OCR3 59870 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations that a copy of record exists. Second, to ensure that the opportunity to review and repudiate is meaningful, the copy of record must be viewable in a humanreadable format that clearly and accurately associates all the information elements of the electronic document with descriptions or labeling of those elements. This second requirement is consistent with the definition of ‘‘copy of record,’’ as discussed in section VI.E.2. 6. Validity of the electronic signature. Under § 3.2000(b)(5)(i), for each electronic document that is required to bear an electronic signature, the receiving system must be able to establish that each electronic signature was a valid electronic signature at the time of signing. Under § 3.3, as discussed in section IV.D.5, a valid electronic signature must satisfy three conditions. The first is that the signature must be created with a signature device that is ‘‘owned’’ by the individual designated as signatory—‘‘owned’’ in the sense that this individual is uniquely entitled to use it for creating signatures. To establish this, an electronic document receiving system must be able to identify signature device ‘‘owners’’ and must be able to determine that an identified signatory is the owner of the device used to create the signature in question. Section 3.2000(b)(5)(vii) explicitly requires the ability to identify signature device owners, and section VI.E.12 of this Preamble discusses the § 3.2000(b)(5)(vii) requirements in detail. Concerning the determination that an identified signatory is the owner of the device used to create the signature, the system needs to have unique signature validation criteria for each identified signature device owner who submits electronically signed documents; the system must be able to apply these criteria to each signature on documents received. For example, in the case of a digital signature, the validation criteria include the existence of a valid PKI certificate for the identified signatory and the ability of the associated public key to decrypt the encrypted message digest that constitutes the signature. In the case of a PIN, the validation criterion may be simply that the PIN added to the document as a signature matches the PIN on file for the identified signatory. The second condition for an electronic signature to be considered valid is that the signature must be created with a device that has not been compromised. That is, at the time of signing, the electronic signature device must in fact be available only to the VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 individual identified as its owner, and to no one else. Otherwise, the use of the device to create the electronic signature may not provide evidence that a specific, identifiable individual has certified to the truth or accuracy of an electronic document. Accordingly, an acceptable electronic document receiving system must provide evidence that the electronic documents it receives and maintains do not contain signatures executed with compromised devices. Such evidence will document the system’s approach to three related functions: prevention of signature device compromise, detection of compromises where they occur, and rejection of known compromised submissions. The approach to prevention will include the way the system notifies submitters of their obligations to avoid signature compromise, including the obligation not to share or delegate the use of the device as a part of the electronic signature agreement. (See sections IV.D.4 and VI.D.8. of this Preamble, respectively.) Prevention also involves choosing the kinds of signature devices to support and determining how they are to be used. Some devices are inherently vulnerable to compromise, for example, because protection from spurious use relies on ‘‘secret’’ (such as a PIN or password) that has to be shared when the device is used. However, vulnerable devices can sometimes be strengthened with appropriate implementation. In the case of a PIN or password, adding an element that does not rely on secrecy—e.g. a physical ‘‘token,’’ such as a smart card or employee badge—that had to be used along with the PIN or password may greatly reduce the device’s vulnerability. Alternatively, a system accepting secret-based signatures might be programmed to query the would-be signatory about a randomly selected piece of private information that has been (or could be) verified. This approach would also reduce vulnerability to compromise, since the discovery of a secret number or password does not convey other private information about the secret’s owner. For detection of compromises, there are two complementary approaches. The first is to ensure that the system recognizes the signs of spurious submission, for example, duplicate reports, off-schedule submissions, and deviations from normal content or procedure. The second is to ensure that the system empowers submitters to detect and report spurious submissions by providing the regular ‘‘out of band’’ acknowledgments discussed in section VI.E.11. Once spurious submissions are PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 detected, the system must ensure their rejection, and the rejection of any subsequent submissions that use the same device. An acceptable receiving system must provide for timely revocation or suspension of access by those individuals with compromised signature devices. Finally, a signature must be created by an individual who is authorized to do so, primarily by virtue of his or her relationship with the regulated entity on whose behalf the signature is executed. An electronic document receiving systems must be able to determine whether the identified signatories have the necessary relationship with the regulated entity that enables them to sign the documents being submitted. Generally, the system would obtain the information necessary for these determinations along with establishing the identity of the signature device owners. Section VI.E.12 of this Preamble discusses this point in more detail. The system must also have some way to keep this information up-to-date, for example, some way to reject signatures where it is known that the signature device owner is no longer authorized to sign the electronic document in question. As with the initial registration process, the provisions for updating this information may vary. For some cases, it may be sufficient to rely on voluntary notifications from registrants when, e.g., their job status changes. For other cases, it may be appropriate to identify a responsible company official who is charged with managing the authorizations of employees signing documents on behalf of the company, to include keeping records of changes in authorization status and/or sending notifications. For certain cases, the system might limit a signature device owner’s authorization to a defined period, which could be extended only through a re-registration process. 7. Binding the signature to the document. Under § 3.2000(b)(5)(ii), an acceptable electronic document receiving system must establish that electronic documents cannot be altered without detection once such documents are signed. Well-implemented provisions for copy of record help satisfy this requirement. The fact that a signatory has not repudiated a document’s copy of record that he or she has had the opportunity to review provides evidence that the copy accurately reflects the document as it was signed. However, even where the signatory affirms the authenticity of the copy of record at the time of review, he or she may still repudiate the document at a later date. Therefore, an acceptable electronic document receiving system E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations must provide a method of ensuring that any breach of a signed document’s integrity can be detected. As discussed in section IV.B.2., such methods are available in the form of signatures that incorporate a hash value of the content being signed, or in the form of signature processes that involve the creation of this hash and its maintenance in association with the signed document. Encrypting the hash value, for example, by executing a digital signature, provide the strongest approach to rebutting claims that the hash has been manipulated. Encryption may not be necessary to the extent that the system provides other means to prevent tampering and establish that the hash has not been altered since it was calculated. 8. Opportunity to review. Where a signatory is certifying to the truth or accuracy of document content, the certification represents the signatory as knowing and understanding the content, as well as certifying to its truth. Under § 3.2000(b)(5)(iii), an acceptable electronic document receiving system must be able to provide evidence that the signatory had the opportunity to review what he or she was signing in a human-readable format. Providing this evidence may be relatively simple, depending on the signature/certification scenarios that the system provides for or allows. In a case where the system only allows signature/certification during an on-line client-server session, and where the server always explicitly gives the signatory the option of scrolling through an appropriately-formatted display of the submission content before signing, documenting these server functions should suffice to provide the required evidence. Cases that may be similarly straightforward include those where signature/certification takes place offline, at the signatory’s computer, but using software provided by or certified by the governmental entity whose system will receive the signed electronic document. In this case, the evidence is provided by documenting how the software works. Less straightforward are cases where the signature/certification software is completely beyond the control of the governmental entity. In such cases, evidence of the opportunity to review may need to rely on the use of a submission format that demonstrably allows a human-readable display of the content. For example, the fact that the file format is a Word or Excel file and that the file provides a human readable display when opened with the right program may constitute sufficient evidence that the opportunity to review has been provided. VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 9. Understanding the act of signing. Where a signatory is certifying to the truth or accuracy of document content, the certification affirmatively represents that the signatory understands both what the act of signing means and that he or she is subject to criminal liability for false certification. Reporting formats in the paper medium provide evidence that certifications are made with the requisite understandings by placing the certification statement in a clearly visible position near the place where signatures are to be affixed and by prominently displaying the statement that there are criminal penalties for false certification. Under § 3.2000(b)(5)(iv), an acceptable electronic document receiving system must ensure that such statements are presented in conjunction with electronic signature/certification. Satisfying this requirement is straightforward where the system itself provides for the signature process or where the governmental entity receiving the submission provides or otherwise has control over the signature/ certification software being used. In other cases, satisfaction will depend on requiring that the signatories and/or submitters incorporate such statements into their documents before they are signed or into screens that are displayed prior to signature. Confidence that the requirement is satisfied will depend in part on the extent to which the submission process involves the use of common, easy-to-display file structures together with the software to display the files being signed. 10. The electronic signature or subscriber agreement. Under § 3.2000(b)(5)(v), an acceptable electronic document receiving system must be able to provide evidence that any signatory of documents received by the system has signed an electronic signature agreement or subscriber agreement with respect to the electronic signature device he or she uses to sign the documents. ‘‘Electronic signature agreement’’ and ‘‘subscriber agreement’’ are defined under § 3.3, the latter referring to electronic signature agreements that are executed with ink on paper. (The distinct role of subscriber agreements is explained in section VI.E.12.) By signing such agreements, an individual agrees to protect his or her signature device from compromise, that is, to keep a secret code secret, a hardware token secured, etc., and not to deliberately compromise the device by making it available to others. He or she also agrees to promptly report any evidence that the device has been compromised, for example, to promptly notify the system manager if PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 59871 he or she receives system acknowledgments of submissions he or she did not make, or if the device has become available to others. Finally, by signing the electronic signature or subscribed agreement, an individual agrees that use of his or her electronic signature device to sign documents creates obligations and/or legally binds him or her to the same extent as he or she would be bound or obligated by executing handwritten signatures. EPA believes that such agreements are necessary to assure—and provide evidence—that the signatory recognizes his or her obligations with respect to the electronic signature device. Insofar as the institutions surrounding the use of electronic signatures are relatively new, EPA believes that express recognition of signatory obligations through explicit agreements avoids potential ambiguity or misunderstandings. 11. Acknowledgment of receipt. Where an electronic signature is used to certify to the truth or accuracy of document content—with criminal liability for false certification—then it is especially important to ensure that any individual identified as signatory has the opportunity to detect and repudiate any spurious submissions made in his or her name through unauthorized access to signature device and/or the electronic document receiving system. To provide for this, § 3.2000(b)(5)(vi) requires the system to automatically send acknowledgments of document receipt to the individuals in whose names the submissions are made, the acknowledgments in each case identifying the document in question, the signatories, and the date and time of receipt. Additionally, § 3.2000(b)(5)(vi) requires that each acknowledgment be sent to an address with access controls different and separate from those that enable the submission itself, so that in cases of compromised access, the individual in whose name a submission is made would still receive the acknowledgment without interference. This is sometimes referred to as ‘‘out of band’’ acknowledgment. In web-based commerce, this is fairly standard practice—a purchase is normally acknowledged directly to the internet protocol (IP) address from which the purchase is made, as a part of the online session, but also is confirmed through a follow-up communication to an email address. Note that while the ‘‘out of band’’ acknowledgment is normally sent electronically, electronic transmission is not required. A paper acknowledgment sent by U.S. Mail, or a voice acknowledgment via telephone would serve the same purpose so long E:\FR\FM\13OCR3.SGM 13OCR3 59872 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations as these are documented by the system so they may be produced, possibly as evidence, at a later date. 12. Determining the identity of the individual uniquely entitled to use a signature device. As discussed in section VI.E.6, a system cannot accept an electronic signature as valid unless it establishes an identity between the individual designated as signatory and the owner of the device used to create the signature. Any circumstance casting doubt on the device’s ownership undermines the certainty that signatures created with the device are valid; if it’s not certain whose device created the signature then it’s not certain whether the actual signatory is the individual who is designated as signatory in the submitted document. Additionally, it must be clear what the signature device owner’s relation is to the entity on whose behalf a document is signed, in order to be certain that this device owner is an authorized signatory. This is also a condition of signature validity. (See section VI.E.6.) Accordingly, to assure that electronically signed documents are legally reliable, a system accepting such documents must have a process for determining who owns the signature devices used to create the signatures, and their relations to the entities on whose behalf they sign submitted documents. Section 3.2000(b)(5)(vii) explicitly reflects this performance standard by requiring that a system provide for such determinations ‘‘with legal certainty.’’ That is, the system must be able to provide evidence sufficient to prove the signature device owner’s identity and relation to entities on whose behalf he or she signs in a context where designated signatories may have an interest in repudiating their signature device ownership or in distancing themselves from the entities on whose behalf they are supposed to have signed. Section 3.2000(b)(5)(vii) does not specify how this performance standard is to be met, however, at a minimum, an ‘‘identity-proofing’’ capability must involve access to a set of descriptions that apply uniquely to the individual in question and refer to attributes that are durable, documented, and objective. Such descriptions must be capable of being shown at any time to uniquely identify the individual without having to depend on anyone who might have an interest in repudiating the identification. Section 3.2000(b)(5)(vii) requires that more specific conditions be met for the special class of electronically signed documents that are included in the list that defines ‘‘priority report’’ under § 3.3 and Appendix 1 to Part 3. The priority VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 reports are those that EPA has identified as likely to be material to potential enforcement litigation. Given this likelihood, it is important to provide not only for the provability of signature device ownership in principle, but for the practical need to make this proof with the resources typically available to enforcement staff and within the constraints of the judicial process in criminal and civil proceedings. To address this practical dimension of identity-proofing in the case of priority reports, § 3.2000(b)(5)(vii) adds three conditions to the general performance standard. The first is that the identity of a signature device owner must be verified before the system accepts any electronic signature created with the device. The second, in § 3.2000(b)(5)(vii)(A), is that this verification must be ‘‘by attestation of disinterested individuals.’’ The third condition, also contained in § 3.2000(b)(5)(vii)(A), specifies that the verification be ‘‘based on information or objects of independent origin, at least one item of which is not subject to change without government action or authorization.’’ Regarding the first condition, requiring identity-proofing before the signature device is used helps prevent systems from accepting electronic signatures that cannot be proved to be valid in the context of an enforcement proceeding. This is at least a potential concern in any case of electronic signature, but it is also a very real concern in cases where what is signed is a priority report. The second condition anticipates the need to prove signature device ownership in court, by ensuring the availability of someone credible to offer testimony about the device owner’s identity who does not have an interest in repudiating device ownership. This is the idea of verification by a ‘‘disinterested individual,’’ the term defined under § 3.3 as ‘‘a person who is not the employer; the employer’s corporate parent, subsidiary, or affiliate; contracting agent; or relative (including spouse or domestic partner) of the individual in whose name the electronic signature device is issued.’’ The condition suggests an identity-proofing process carried out by a trusted third party, and, in the current electronic commerce environment, this would typically be a PKI certificate authority (CA), whose business is to issue certificate-based electronic signature devices that reflect identity-proofing at a specified level of assurance. However, it is important to be clear that verification by a ‘‘disinterested PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 individual’’ does not have to involve a PKI-based approach to electronic signatures. Indeed, it does not have to involve a third party at all; the disinterested individual could simply be an employee of the agency operating the electronic document receiving system, if that agency itself has the resources to provide for identityproofing as it registers signature device owners to use the system. Additionally, if a trusted third party is wanted, there are alternatives to the CA. For example, with an appropriately defined procedure, a notary public or some local government official could play this role; so could some other governmental agency, such as department of motor vehicles, which is in the business of issuing credentials based (usually) on in-person verification of identity. The third condition sets a standard for the evidence on which verification of identity would be based—evidence that would be attested to by the disinterested individual provided for by the second condition. The standard refers to ‘‘information or objects’’ and for each requires that they be ‘‘of independent origin’’ and include at least one item that requires ‘‘governmental action or authorization’’ to change. Information ‘‘of independent origin’’ must be knowable empirically, and not simply as a matter of someone’s say so; objects of independent origin could provide such information. Such information, where it concerns an individual’s identity, would generally come from three sources: first, documented, direct, in-person contact; second, documentation of the individual’s history—e.g., as an employee, a consumer, a student, etc.—with objects such as credit cards, passports, etc., sometimes together with corroborating testimony; and third, forensic evidence of unique, immutable traits, from such objects as fingerprints, photos, and handwritten signatures. Evidence of identity from any of these three sources will meet the § 3.2000(b)(5)(vii)(A) standard, provided that the information used also includes at least one item that cannot be changed without governmental action or authorization—for example, a social security number, a passport number, or a driver’s license number. This last requirement helps assure that the identifying information used is sufficiently well-documented and durable to support re-verification of identity at some later date. The requirement also facilitates identityproofing that relies on database searches, insofar as data on individuals tends to be keyed to government-issued identifiers. Finally, while such E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations identifiers are items of information, they typically are presented on objects—e.g. a driver’s license or a passport—that provide independent evidence of their authenticity. EPA recognizes that the identityproofing requirements specified in § 3.2000(b)(5)(vii)(A) may be difficult to implement in some cases. The rule therefore allows a system to meet the § 3.2000(b)(5)(vii)(A) requirements for cases of priority reports in other ways. Under § 3.2000(b)(5)(vii)(C), a system may collect a subscriber agreement (see section VI.E.10) from each signatory of the priority reports received by the system, in lieu of satisfying § 3.2000(b)(5)(vii)(A). Alternatively, the system may collect a certification from a ‘‘local registration authority’’ (LRA) that such a subscriber agreement has been executed and is being securely stored. As defined under § 3.3, an LRA is an individual who plays the role of a custodian of subscriber agreements, maintaining these paper agreements as records and sending the system a certification of receipt and secure storage for each such agreement he or she receives. The presumption is that such certifications would be sent electronically to the system as signed electronic documents. To become an LRA, an individual must have his or her identity established by notarized affidavit, and must be authorized in writing by the regulated entity to issue these ‘‘agreement collection certifications’’ (defined under § 3.3) on its behalf. A state, tribe, or local government adopting the subscriber agreement alternative might chose to implement through LRAs as a way of reducing the pieces of paper it had to manage in operating its electronic document receiving system. While setting up the LRA relationships requires the collection of affidavits and authorizations on paper, this involves far fewer paper transactions than collecting the individual subscriber agreements from each person who signs priority reports. However, only larger companies or facilities with many employees signing priority reports are likely to be motivated and able to designate a company official as an LRA. Although nothing in the rule prohibits third parties from serving as LRAs for the smaller companies, a subscriber agreement implementation will probably always involve accepting some of these agreements directly from priority report signatories. What is essential under § 3.2000(b)(5)(vii)(C) is that a subscriber agreement be available, as needed, to establish the identity of the associated signature device owner. VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 Identity in this case is established based on the forensic properties of the handwritten signature on the agreement. Finally, § 3.2000(b)(5)(vii)(B) gives states, tribes, or local governments the flexibility to propose identity-proofing methods that may not meet the specific requirements of § 3.2000(b)(5)(vii)(A), but which are no less stringent than the methods that satisfy § 3.2000(b)(5)(vii)(A). For example, if a method of electronic identity-proofing were proposed that relies on the attestations of an LRA who is not a disinterested party, EPA would look for other features in the identity-proofing method that guarantee the identity of the LRA and the trustworthiness of the identity-proofing that the LRA would conduct. Similarly, if an identityproofing method were proposed that relies on objects or information that are not of independent origin (e.g., a company identification card), EPA would look for other features in the authentication method that guarantee that the registrant’s identity could not have been manufactured by the registrant or another interested party. EPA’s expectation is that the advance of technology may also make new methods of identity-proofing available that meet the needs of the enforcement community, and we expect that § 3.2000(b)(5)(vii)(B) could be used to accommodate such new methods when implemented as part of electronic document receiving systems. VII. What are the costs of today’s rule? A. Summary of Proposal Analysis The Agency has conducted a number of analyses to ensure that this rule complies with the various statutory and administrative requirements that apply to EPA regulations. The results of the analyses are summarized in this section. In the proposal, EPA estimated that the proposed rule could result in an average annual reduction in burden of $52.3 million per year for those facilities reporting, $1.2 million per year for EPA, and $1.24 million for each of the 30 states that were assumed to implement programs over the eight years of the analysis. EPA received many comments on the costs associated with the proposed electronic reporting provisions. Comments included concerns about the proposal’s assumptions related to the number of affected entities, the number of registered users per facility, the costs to state programs, and the costs of implementing standard formats. Several commenters expressed support for the analysis findings, concurring that electronic reporting will reduce their PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 59873 environmental reporting costs. EPA’s response to these comments is explained in the following section. Additional comments on the cost analysis and EPA’s responses can be found in the rulemaking docket, in the Response to Comments document. B. Final Rule Costs In response to comments received on the proposed rule, EPA conducted additional cost analyses to determine the impacts of this rule on regulated entities, states, tribes, and local governments, and EPA programs. In developing the analysis for this final rule, EPA relied heavily on existing sources of data that included: • EPA’s 2002 Government Paperwork Elimination Act (GPEA) Report to OMB; • Interviews with EPA programs, states, and nine industry representatives currently using CDX to report electronically; • EPA’s Information Collection Requests (ICRs); • EPA’s Envirofacts Warehouse and Facility Registry System; • Follow-up to comments received from twenty state and local government agencies and several major industry associations; and • Market research to assess trends of large and small companies using the Internet, costs of technology for electronic signature and data exchange formats, and other technical issues. Based on the additional analyses, EPA estimates that under this rule there will be a total cumulative cost savings to the Agency, over the period 2003 to 2012, ranging from $64.4 million to $75.4 million, depending on the discount rate used. For those that adopt electronic reporting, EPA estimates a total cumulative cost burden to state and local governments under this rule, over the period 2003 to 2012, ranging from $57.2 million to $65.2 million annually, depending on the discount rate used. These costs result from the incremental burden to states to upgrade their receiving systems to meet the rule’s standards and apply for EPA approval of program modifications and revisions. The model does not consider the potential cost savings to state and local governments resulting from processing electronic submittals but believes the savings would likely offset these incremental costs. For facilities, EPA estimates a total cumulative cost during this period ranging from $41.6 million to $51.9 million, depending on the discount rate used. The net total cumulative cost of this rule, over the period 2003 to 2012, ranges from $34.4 million to $41.7 million, depending on the discount rate used. E:\FR\FM\13OCR3.SGM 13OCR3 59874 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations C. General changes to methodology and assumptions The research effort for the final rule differed from that conducted for the proposal in that it was much broader and involved far greater engagement with external stakeholders. EPA used this research to reevaluate assumptions made in the proposal and to refine the overall approach to the cost-benefit analysis. The process of reevaluating costs to regulated entities included: • Analyzing the GPEA report to determine the specific information collections identified as being suitable for electronic reporting and their implementation schedule; • Evaluating each information collection request for an understanding of the types of activities that would be eliminated (such as mailing paper forms) or reduced (manual data quality checks) through electronic reporting; • Interviewing trade associations, reviewing comments received, evaluating market trend research, and querying Envirofacts warehouse and Facility Registry System to establish an understanding of the numbers of potential facility representatives that would register for a particular program, the rate of electronic reporting growth in a program, the number of facilities using web forms or file exchanges, and the relative distribution of small to large businesses; and • Establishing an understanding of the time required by facilities to register with CDX and maintain a CDX account, through interviews with CDX registered users and the CDX hotline. The process of reevaluating costs and benefits to EPA, state, tribes, and local governments, included: • Meeting with EPA programs and state program counterparts to identify the broad range of EPA authorized programs and the types and number of agencies under each program; • Interviewing state and local agencies and their associations as follow-up to public comment to obtain an understanding of their current electronic reporting systems, long-term plans, and perceived impacts to their systems from this rule; • Evaluating current information technology expenditures of CDX and other program system development efforts, and general costs of EPA rulemakings with respect to federal costs and benefits. In preparing the CBA, EPA used a computer model to estimate the annual costs to EPA, state and local governments and regulated entities. To evaluate the costs and benefits of this rule, two scenarios were modeled: a VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 ‘‘Baseline’’ scenario in which EPA would enable electronic reporting through an approach other than CROMERR and a ‘‘To Be’’ scenario in which EPA enables electronic reporting under CROMERR. In comparing the cumulative costs of this rule, EPA notes that the ‘‘To Be’’ scenario would be a more efficient approach than the ‘‘Baseline’’ scenario. Under the ‘‘Baseline’’ scenario, EPA programs would be left to implement their own program-specific electronic reporting requirements and electronic document receiving systems. Also, under the ‘‘Baseline’’ scenario, electronic reporting would be delayed, because EPA would have to generate separate rules and guidance to support programspecific electronic document receiving systems. Once these systems were established, reporting entities could conceivably be required to register under different rules and through different systems across EPA programs. Based on the new research, EPA revised assumptions about the costs associated with authorized programs and corresponding benefits to the reporting entities. In contrast to the proposal, EPA does not claim the costs associated in building electronic document receiving systems for authorized programs (state, tribe, and local) or the benefits for their reporting entities in using these systems. Since it is clear that authorized programs intend to proceed with electronic reporting on their own regardless of this rule, the analyses for the final rule looks at the incremental costs to electronic document receiving systems that would be developed absent this rule, in meeting the final rule’s requirements. Based on research and comments received on the proposal, EPA also revised the following key cost assumptions: • Increased costs for XML. EPA substantially increased the cost estimate of integrating an XML format into a facility’s environmental management system (from $4,000 to $10,000). • Increased number of registered users. EPA substantially increased the number of registrants (from 3 registrant/ facility to 6 registrants per facility) in large companies that would use CDX. • Broadened impacts of authorized programs. EPA substantially broadened the number of state, tribe, and local environmental agencies potentially impacted by the rule, to include health departments, county air boards, oil and gas agencies, and publicly-owned treatment works. PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 VIII. Statutory and Executive Order Reviews A. Executive Order 12866 Pursuant to the terms of Executive Order 12866 (58 FR 51735, October 4, 1993), it has been determined that this rule is a ‘‘significant regulatory action’’ because it raises novel legal or policy issues. As such, this action was submitted to OMB for review. Changes made in response to OMB suggestions or recommendations are documented in the public record. For EPA, the average annual cost to implement and operate electronic reporting under this rule is estimated to be $60.94 million. The average annual cost to implement and operate electronic reporting in the absence of this rule (i.e., where EPA implements electronic reporting on a programspecific basis) is estimated to be $70.36 million for EPA. The average annual cost savings to EPA under this rule is $8.42 million. The average annual cost to states, tribes, and local governments in initially upgrading their electronic receiving systems and obtaining EPA approval for appropriate program modification under the rule ranges from roughly $5,000 to $460,000, depending on the number of systems and extent of the upgrades needed. In addition, states, tribes, and local governments that upgrade their systems are expected to incur system maintenance costs averaging about $10,000 annually. These costs reflect solely the incremental costs resulting from the rule; they do not reflect the cost savings that states, tribes, and local governments will experience in implementing their receiving systems. EPA has not quantified these savings as part of its analysis. It should be noted that EPA expects today’s rule to produce a net cost savings for states, tribes, and local governments. However, it is not possible to provide an adequate year-by-year comparison of the costs of the two scenarios, because the Baseline Scenario anticipates a more gradual process of EPA approval for state, tribe, and local government electronic reporting systems, starting at a later point in time. The average annual cost to facilities to submit electronic reports to EPA in compliance with today’s rule ranges from $9 for those entities that choose simply to use a web browser to access CDX and fill out web forms, to $10,000 per facility for those companies that wish to configure their environmental management systems to exchange data with CDX, using agreed-upon data exchange formats. In addition to the monetary benefits identified by the analysis, EPA also E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations believes that there are many qualitative benefits that justify the initial costs associated with the rule. These benefits include: • Responding to federal requirements, such as GPEA, which, among other things, requires federal agencies to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically. This rule sets the legal framework for most major EPA initiatives implementing electronic environmental data exchanges with the various stakeholders. • Maintaining consistency with emerging industry commercial practices. The implementation of electronic government initiatives is a reflection of the rapid evolution of electronic commerce, which has occurred in industry since the expansion of the Internet and the World Wide Web (WWW), in the early 1990s. In many ways, EPA and state, tribe, and local environmental agencies’ implementations of electronic reporting under today’s rule will be more consistent with emerging practices and less burdensome to industry than paper reporting. • Providing sound environmental practice. Part of EPA’s mission is conserving environmental resources. The traditional paper-based reporting practices and processes consumes trees and other resources for printing, exchanging, reproducing, storing, and retrieving grants, permits, compliance reports, and supporting documents. • Fostering more rapid environmental compliance reporting. Organizations have become increasingly environmentally conscientious. This change stems both from a desire to be good corporate citizens and from fear of negative media reporting. Hence, organizations, especially large companies, are becoming increasingly interested in being able to demonstrate their environmental compliance. More rapid and accurate public posting of compliance data by environmental agencies is one way to help achieve this goal. • Simplifying facility reporting. Electronic reporting and EPA’s planned implementation support a single point of entry into agency systems, which will enhance facilities’ ability to locate appropriate regulations, obtain information, ask questions, obtain forms, and submit data. • Providing more accurate data. Replacing paper forms with electronic forms will result in more accurate data. Systems incorporating electronic forms can perform real time edit checks that will reduce the number of input errors. VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 These checks can range from simple verification of valid date formats, to complex validations of proper nomenclature and limits of chemicals emitted into the environment. Improved data quality will also help reduce the time required for data correction and the effects of inaccurate reporting. • Making data more readily available. The process of creating, mailing, receiving, entering, verifying, and correcting paper reports consumes both resources and time. This delays the analysis of the data by EPA and authorized programs and its availability to decision makers and the public. • Provides the foundation for further process re-engineering. Moving data from a paper to an electronic system as early in the process as possible creates the foundation on which many workflow re-engineering initiatives can be constructed. B. Executive Order 13132 Executive Order 13132, entitled ‘‘Federalism’’ (64 FR 43255, August 10, 1999), requires EPA to develop an accountable process to ensure ‘‘meaningful and timely input by state and local officials in the development of regulatory policies that have federalism implications.’’ ‘‘Policies that have federalism implications’’ are defined in the Executive Order to include regulations that have ‘‘substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government.’’ This final rule does not have federalism implications. EPA has determined that the final rule will not have substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government, as specified in Executive Order 13132. The final rule will not require states to accept electronic reports. The effect of this rule will be to provide an electronic alternative to currently accepted methods of receiving regulatory reports on paper and to give the states the option of choosing to receive electronic submissions in satisfaction of reporting requirements under their authorized programs or continuing to require submissions on paper. Authorized states and local agencies that choose to receive electronic reports under this rule may incur expenses initially in developing systems or modifying existing systems to meet the standards in this rule. The average annual cost to state agencies in PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 59875 upgrading their electronic receiving systems and obtaining EPA program modification approval depends on the amount of effort required to adhere to the requirements of this rule. However, EPA estimates that for those states deploying systems that meet rule standards, each state will incur a cost of about $12,000 in obtaining EPA approval of its system. For a state where upgrades to its systems are needed to meet rule requirements, the costs can range up to $460,000, depending on the size and complexity of its systems and the extent of the upgrades needed. Maintenance costs for maintaining compliance with this rule will cost each state about $10,000 annually. These costs include both capital costs required for hardware and software upgrades, and labor costs incurred by state employees. EPA analyzed the most likely alternative scenario where, absent this rule, EPA programs would implement rules that would require states to seek program modifications on a program by program basis. It should be noted that these analyses do not quantify the cost savings that states will incur through offering electronic reporting options to their reporting entities. EPA believes these savings will greatly outweigh the costs of complying with the rule. Based on these analyses, EPA believes that although the final rule imposes some compliance costs on state and local governments, the costs for most states are marginal and will result in net benefits over the most likely alternative scenario. Over the last several years, EPA has provided substantial financial support to states to assist in upgrades to information technology systems. For example, in fiscal years 2002–2004, EPA provided approximately $65 million dollars to states, tribes, and territories through grants to support their efforts to establish EIEN. EPA intends to award additional grants for fiscal year 2005. EPA’s fiscal year 2006 budget includes $20 million for the EIEN Grant Program. States, tribes, and territories may apply for these grant funds to generally upgrade their EIEN capabilities, including improvements related to this rule, e.g., to improve data validity and user authentication procedures, as required by today’s final rule. Although Section 6 of Executive Order 13132 does not apply to this rule, EPA has welcomed the active participation of the states; on several separate occasions EPA has held substantial consultations with state and local officials in developing this rule. State participation has resulted in changes to the final rule, including the section 3.1000 approval process and E:\FR\FM\13OCR3.SGM 13OCR3 59876 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations special provisions such as deferred compliance for existing systems. C. Paperwork Reduction Act OMB has approved the information collection requirements contained in this rule under the provisions of the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. and has assigned OMB control number 2025–0003. The ICR for this rule covers the registration information, which will be collected from individuals wishing to submit electronic reports to EPA on behalf of regulated facilities. The information will be used to establish the identity of that individual and the regulated entity he or she represents. This information will be used by EPA to register and provide individuals with the ability to access the EPA’s electronic document receiving system, CDX. In appropriate circumstances this information will also be used to issue an electronic signature to the registered individual. The ICR also covers activities incidental to electronic reporting (e.g., submittal of an electronic signature agreement to EPA as applicable). It should be noted that the submission of environmental reports in an electronic format to EPA and states, tribes, and local governments is voluntary for most examples of electronic reporting, and viewed as a service that EPA and its regulatory partners are providing to the regulated community. The rule allows reporting entities to submit reports and other information electronically, thereby streamlining and expediting the process for reporting. However, it should also be understood that this rule does set forth requirements for regulated entities that submit electronic reports directly to EPA and for states, tribes, and local governments that choose to implement electronic reporting under their authorized programs. EPA is issuing this rule on cross-media electronic reporting, in part, under the authority of GPEA, Public Law 105–277, which amends the PRA. In addition, the ICR covers state, tribe, and local government activities involved in upgrading their electronic receiving systems to satisfy the standards in the rule and in applying to EPA for approval of program modification. States, tribes, and local governments will undertake these activities only if they intend to collect information electronically under an EPA authorized program. The total annual reporting and recordkeeping burden this ICR estimates is 151,963 hours, which includes the tasks described above. It is expected that a respondent reporting directly to EPA VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 will take on average ten minutes to register with CDX; however, if the respondent contacts the CDX help desk for assistance with CDX registration, on average the respondent will incur an additional six minutes. The average annual number of respondents registering with CDX is 19,434. It is further expected that 201,331 respondents will report electronically to a state, tribe, or local government receiving system. Respondents reporting to EPA or state, tribe, or local governments may also incur an additional burden of 20 minutes to prepare, sign, and submit an electronic signature agreement. The average annual number of these respondents is 177,009. In addition, the ICR estimates that 7,293 medium-sized and large companies will register local registration authorities (LRA) and incur an additional burden of 1 hour. This includes the time to prepare and submit LRA designation applications, collect and store subscriber agreements, and prepare and submit certification of receipt and secure storage. Finally, it is expected that a state, tribe, or local government would take between 210 and 330 hours to prepare and submit its program modification application to EPA. The average annual number of states applying to EPA is expected to be 15; the average annual number of tribes and local governments applying to EPA is expected to be 46. In addition, the ICR estimates $4,450,658 in annual capital/start-up costs for states, tribes and local governments to upgrade their receiving systems. The ICR estimates $663,975 in annual operation and maintenance costs. This includes costs to registrants and state, tribes and local governments in submitting information to EPA. Public Burden Statement The public reporting burden is estimated to be 10 minutes for an individual that reports electronically to the CDX. This includes time for preparing the on-line application and calling the CDX help desk. The public reporting burden in this ICR is estimated to be 15 minutes for an individual that prepares and submits a subscriber agreement. The public reporting burden is estimated to be 30 minutes for a local registration authority. This includes time for preparing and submitting the certification of receipt and secure storage to EPA or state/local agency. The public reporting burden is estimated to range from 210 hours for a local government to 330 hours for a state seeking to implement an electronic receiving system. This includes time for PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 preparing and submitting the program modification application to EPA. Burden means the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. This includes the time needed to review instructions; develop, acquire, install, and utilize technology and systems for the purposes of collecting, validating, and verifying information, processing and maintaining information, and disclosing and providing information; adjust the existing ways to comply with any previously applicable instructions and requirements; train personnel to be able to respond to a collection of information; search data sources; complete and review the collection of information; and transmit or otherwise disclose the information. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. The OMB control numbers for EPA’s regulations are listed in 40 CFR part 9 and 48 CFR chapter 15. In addition, EPA is amending the table in 40 CFR part 9 of currently approved OMB control numbers for various regulations to list the regulatory citations for the information requirements contained in this final rule. D. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., generally requires an agency to prepare a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements under the Administrative Procedure Act or any other statute unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. Small entities include small businesses, small organizations, and small governmental jurisdictions. For the purpose of assessing the impacts of today’s rule on small entities, small entity is defined as: (1) Small business as defined by the RFA and based on Small Business Administration (SBA) size standards; (2) a small governmental jurisdiction that is a government of a city, county, town, school district, or special district with a population of less then 50,000; and (3) a small organization that is any not-forprofit enterprise which is independently owned and operated and is not dominant in its field. After considering the economic impacts of today’s final rule on small entities, the Agency certifies, pursuant to section 605(b) of the RFA, that this E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations action will not have a significant economic impact on a substantial number of small entities. Courts have interpreted the RFA to require a regulatory flexibility analysis only when small entities will be subject to the requirements of the rule. See Motor and Equip. Mfrs. Ass’n v. Nichols, 142 F.3d 449 (D.C. Cir. 1998); United Distribution Cos. v. FERC, 88 F.3d 1105, 1170 (D.C. Cir. 1996); Mid-Tex Elec. Co-op, Inc. v. FERC, 773 F.2d 327, 342 (D.C. Cir. 1985) (agency’s certification need only consider the rule’s impact on entities subject to the rule). This final rule would not establish any new direct requirements applicable to small entities. States that are directly regulated in this rulemaking are not small entities. This rule provides for EPA review and approval of authorized state, tribe, and local government programs that decide to provide for electronic reporting. This rule includes performance standards against which a state’s, tribe’s, or local government’s electronic document receiving system will be evaluated before EPA will approve changes to the delegated, authorized, or approved program to provide electronic reporting, and establishes a streamlined process that states, tribes, and local governments can use to seek and obtain such approvals. The rule also includes special provisions for existing state electronic reporting systems in place at the time of publication of this rule. Currently, entities that choose to submit electronic documents directly to EPA submit documents to a centralized Agency-wide electronic documentreceiving system, called the CDX, or to alternative systems designated by the Administrator. This rule does not change those systems. In addition, today’s rule, does not require the submission of electronic documents in lieu of paper documents. Because there is no requirement to adopt electronic reporting, EPA has determined that small local governments will not be directly impacted by this rule. Nonetheless, EPA also considered the possible impacts of this rule to determine whether small local governments could potentially be subject to the provisions of § 3.1000, which would require these programs to seek EPA approval for their electronic document receiving systems if they choose to provide electronic reporting. EPA reviewed its programs and conducted follow-up to comments received from industry, state, and local government associations to determine possible impacts to small local jurisdictions. Based on its review, EPA concluded that the only small VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 government jurisdictions possibly subject to the rule are those with Publicly-Owned Treatment Works (POTWs). Only POTWs choosing to deploy electronic document receiving systems would be subject to today’s rule. Through analysis and direct discussions with municipal POTWs and trade associations, EPA did not identify any such small government jurisdictions planning to deploy electronic reporting systems. Although not required by the RFA, (See Michigan v. EPA, 213 F.3d 663, 668–69 (D.C. Cir., 2000), cert. den. 121 S.Ct. 225, 149 L.Ed.2d 135 (2001)), as a part of the analysis prepared under Executive Order 12866, EPA also considered the costs to small entities that are indirect reporters to authorized state, tribal, and local government programs. For this final rule, EPA prepared a cost/benefit analysis to assess the economic impact of CROMERR, which can be found in the docket for this rule. Although this rule will not have a significant economic impact on a substantial number of small entities, the Agency nonetheless consulted with small entities as well as organizations such as the Small Business Administration (SBA). We made several changes to the rule based upon these discussions. E. Unfunded Mandates Reform Act Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104–4, establishes requirements for federal agencies to assess the effects of their regulatory actions on states, tribes, and local governments and the private sector. Under section 202 of UMRA, EPA must prepare a written statement, including a cost-benefit analysis, for proposed and final rules with ‘‘Federal mandates’’ that may result in expenditures to states, tribes, and local governments, in the aggregate, or to the private sector, of $100 million or more in any one year. Before promulgating a rule for which a written statement is needed, section 205 of the UMRA generally requires EPA to identify and consider a reasonable number of regulatory alternatives and adopt the least costly, most cost-effective or least burdensome alternative that achieves the objectives of the rule. The provisions of section 205 do not apply when they are inconsistent with applicable law. Moreover, section 205 allows EPA to adopt an alternative other than the least costly, most cost-effective or least burdensome alternative if the Administrator publishes with the final rule an explanation why that alternative was not adopted. PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 59877 Before EPA establishes any regulatory requirements that may significantly or uniquely affect small governments, including tribes, it must have developed under section 203 of UMRA a smallgovernment agency plan. The plan must provide for notifying potentially affected small governments, enabling officials of affected small governments to have meaningful and timely input into the development of EPA regulatory proposals with significant Federal intergovernmental mandates. The plan must also provide for informing, educating, and advising small governments on compliance with the regulatory requirements. As described in section VIII.D. of this Preamble, above, EPA also evaluated the possible impacts of this rule to small governments. In particular, EPA was concerned that small governments could potentially be subject to the provisions of § 3.1000, which would require these programs to seek EPA approval for the electronic document receiving systems. EPA reviewed its programs, and also conducted follow-up to comments from industry, state, and local government associations to determine possible impacts to small local governments. As a result of this review, EPA concluded that small local governments would not be adversely impacted by the provisions of § 3.1000 this rule. The Agency has determined that this rule does not contain a Federal mandate that may result in expenditures of $100 million or more for states, tribes, and local governments, in the aggregate, or the private sector in any one year. Thus, today’s rule is not subject to the requirements in sections 202 and 205 of UMRA. The Agency has determined that this rule contains no regulatory requirements that might significantly or uniquely affect small governments and thus this rule is not subject to the requirements in section 202 of UMRA. F. National Technology Transfer and Advancement Act Section 12(d) of the National Technology Transfer and Advancement Act of 1995 (NTTAA), Public Law 104– 113, section 12(d) (15 U.S.C. 272 note) directs EPA to use voluntary consensus standards in its regulatory activities unless to do so would be inconsistent with applicable law or otherwise impractical. Voluntary consensus standards are technical standards (e.g., materials specifications, test methods, sampling procedures, and business practices) that are developed or adopted by voluntary consensus standards bodies. The NTTAA directs EPA to provide Congress, through OMB, with explanations when the Agency decides E:\FR\FM\13OCR3.SGM 13OCR3 59878 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations not to use available and applicable voluntary consensus standards. The consensus standards relevant to an electronic reporting rule are primarily technical standards that specify file formats for the electronic exchange of data, telecommunications network protocols, and electronic signature technologies and formats. EPA is not setting requirements for electronic reporting at the level of specificity addressed by such formats, protocols and technologies, so consensus standards are not directly applicable to today’s rule. For example, the final rule does not stipulate data exchange formats, does not specify electronic signature technologies, and does not address telecommunications issues. At the same time, there is nothing in today’s rule that is incompatible with these standards, and in implementing electronic reporting under this rule EPA is adopting standards-based approaches to electronic data exchange. In the preamble to the proposed rule, EPA described its initial plans to implement a number of standards-based approaches to electronic reporting, including electronic data exchange formats based upon the ANSI Accredited Standards Committee’s (ASC) X12 for Electronic Data Interchange or EDI. That preamble also discussed EPA’s interest in exploring the use of Internet data exchange formats based on XML, then under development by the World Wide Web Consortium (W3C). As a part of the preamble discussion, EPA solicited comment on these planned standardsbased electronic reporting implementations. In response, EPA received considerable feedback both from states and from industry indicating a trend in the direction of XML, and away from the deployment of ANSI ASC X12 standards. In any event, CDX now looks to XML to provide the formats for its Internet data exchanges. EPA currently supports multi-agency Integrated Project Teams to develop XML formats and intends to use standardized formats for this purpose to the extent that they are available. In addition, EPA currently registers XML formats in its System of Registries to facilitate easy access to these formats for partners wishing to exchange data. EPA is attempting to make use of applicable standards-setting work being done by several organizations, including the Electronic Business XML (ebXML), the Organization for the Advancement of Structured Information Standards (OASIS), and, internationally, the United Nation’s Center for Administration, Commerce, and Transport (UN/CEFACT) Forum. In any VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 event, today’s rule is compatible with any of these current standards-based approaches to electronic reporting, but the rule itself does not set requirements at the level of detail that such standards address. Indian tribes by giving them the opportunity to submit electronic reports to EPA in satisfaction of EPA reporting requirements and by allowing them to implement electronic reporting under their authorized programs. G. Executive Order 13045 Executive Order 13045, Protection of Children from Environmental Health Risks and Safety Risks (62 FR 19885, April 23, 1997) applies to any rule that EPA determines (1) ‘‘economically significant’’ as defined under Executive Order 12866 and (2) concerns an environmental health or safety risk that EPA has reason to believe may have a disproportionate effect on children. EPA interprets Executive Order 13045 as encompassing only those regulatory actions that are risk-based or healthbased, such that the analysis required under Section 5–501 of the Executive Order has the potential to influence the regulation. This rule is not subject to Executive Order 13045 because it is not an economically significant action as defined by Executive Order 12866 and it does not involve decisions regarding environmental health or safety risks. This rule contains general performance standards for the submission of environmental data electronically. I. Executive Order 13211 (Energy Effects) H. Executive Order 13175 Executive Order 13175, entitled, ‘‘Consultation and Coordination with Indian Tribal Governments’’ (65 FR 67249, November 6, 2000), requires EPA to develop an accountable process to ensure ‘‘meaningful and timely input by tribal officials in the development of regulatory policies that have tribal implications.’’ ‘‘Policies that have tribal implications’’ are defined in the Executive Order to include regulations that have ‘‘substantial direct effects on one or more Indian tribes, on the relationship between the Federal Government and the Indian tribes, or on the distribution of power and responsibilities between the Federal Government and Indian tribes.’’ This rule does not have tribal implications, as specified in Executive Order 13175, and therefore consultation under the Order is not required. It will not have substantial direct effects on tribes, on the relationship between the federal government and Indian tribes, or on the distribution of power and responsibilities between the federal government and Indian tribes, as specified in Executive Order 13175. This action does not require Indian tribes to accept electronic reports. The effect of this rule is to provide additional regulatory flexibility to PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 This rule is not a ‘‘significant energy action’’ as defined in Executive Order 13211, ‘‘Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution, or Use’’ (66 FR 28355, May 22, 2001) because it is not likely to have a significant adverse affect on the supply, distribution, or use of energy. EPA has concluded that this rule is not likely to have any adverse energy effects. J. Congressional Review Act The Congressional Review Act, 5 U.S.C. 801 et seq., as added by the Small Business Regulatory Enforcement Fairness Act of 1996, generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. EPA will submit a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States prior to publication of the rule in the Federal Register. A major rule cannot take effect until 60 days after it is published in the Federal Register. This action is not a ‘‘major rule’’ as defined by 5 U.S.C. 804(2). This rule will become effective on January 11, 2006. List of Subjects 40 CFR Part 3 Environmental protection, Conflict of interests, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations. 40 CFR Part 9 Environmental protection, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Reporting and recordkeeping requirements. 40 CFR Part 51 Environmental protection, Administrative practice and procedure, Air pollution control, Carbon monoxide, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Lead, Nitrogen dioxide, Ozone, Particulate matter, Reporting and recordkeeping E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations requirements, Sulfur oxides, Volatile organic compounds. 40 CFR Part 60 Environmental protection, Administrative practice and procedure, Air pollution control, Aluminum, Ammonium sulfate plants, Batteries, Beverages, Carbon monoxide, Cement industry, Coal, Copper, Dry cleaners, Electric power plants, Electronic records, Electronic reporting requirements, Electronic reports, Fertilizers, Fluoride, Gasoline, Glass and glass products, Grains, Graphic arts industry, Heaters, Household appliances, Insulation, Intergovernmental relations, Iron, Labeling, Lead, Lime, Metallic and nonmetallic mineral processing plants, Metals, Motor vehicles, Natural gas, Nitric acid plants, Nitrogen dioxide, Paper and paper products industry, Particulate matter, Paving and roofing materials, Petroleum, Phosphate, Plastics materials and synthetics, Polymers, Reporting and recordkeeping requirements, Sewage disposal, Steel, Sulfur oxides, Sulfuric acid plants, Tires, Urethane, Vinyl, Volatile organic compounds, Waste treatment and disposal, Zinc. 40 CFR Part 63 Environmental protection, Air pollution control, Electronic records, Electronic reporting requirements, Electronic reports, Hazardous substances, Intergovernmental relations, Reporting and recordkeeping requirements. 40 CFR Part 69 Environmental protection, Air pollution control, Electronic records, Electronic reporting requirements, Electronic reports, Guam, Intergovernmental relations. 40 CFR Part 71 Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations. 40 CFR Part 123 Environmental protection, Administrative practice and procedure, Confidential business information, Electronic records, Electronic reporting requirements, Electronic reports, Jkt 208001 Environmental protection, Administrative practice and procedure, Chemicals, Electronic records, Electronic reporting requirements, Electronic reports, Indians-lands, Intergovernmental relations, Radiation protection, Reporting and recordkeeping requirements, Water supply. 40 CFR Part 145 Environmental protection, Confidential business information, Electronic records, Electronic reporting requirements, Electronic reports, Indians-lands, Intergovernmental relations, Penalties, Reporting and recordkeeping requirements, Water supply. 40 CFR Part 162 Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Pesticides and pests, Reporting and recordkeeping requirements, State registration of pesticide products. 40 CFR Part 233 Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Penalties, Reporting and recordkeeping requirements, Water pollution control. Environmental protection, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Waste treatment and disposal. Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations. 16:26 Oct 12, 2005 40 CFR Part 142 40 CFR Part 257 40 CFR Part 70 VerDate Aug<31>2005 Hazardous substances, Indians-lands, Intergovernmental relations, Penalties, Reporting and recordkeeping requirements, Water pollution control. 40 CFR Part 258 Environmental protection, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Reporting and recordkeeping requirements, Waste treatment and disposal, Water pollution control. 40 CFR Part 271 Environmental protection, Administrative practice and procedure, Confidential business information, Electronic records, Electronic reporting requirements, Electronic reports, Hazardous materials transportation, Hazardous waste, Indians-lands, Intergovernmental relations, Penalties, PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 59879 Reporting and recordkeeping requirements, Water pollution control, Water supply. 40 CFR Part 281 Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Hazardous substances, Insurance, Intergovernmental relations, Oil pollution, Reporting and recordkeeping requirements, Surety bonds, Water pollution control, Water supply. 40 CFR Part 403 Environmental protection, Confidential business information, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Reporting and recordkeeping requirements, Waste treatment and disposal, Water pollution control. 40 CFR Part 501 Environmental protection, Administrative practice and procedure, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Penalties, Reporting and recordkeeping requirements, Sewage disposal. 40 CFR Part 745 Environmental protection, Electronic records, Electronic reporting requirements, Electronic reports, Intergovernmental relations, Hazardous substances, Lead poisoning, Reporting and recordkeeping requirements. 40 CFR Part 763 Environmental protection, Administrative practice and procedure, Asbestos, Electronic records, Electronic reporting requirements, Electronic reports, Hazardous substances, Imports, Intergovernmental relations, Reporting and recordkeeping requirements. Dated: September 22, 2005. Stephen L. Johnson, Administrator. Therefore, Title 40 Chapter I of the Code of Federal Regulations is amended by adding a new Part 3, and amending parts 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403, 501, 745, and 763 to read as follows: I PART 3—CROSS-MEDIA ELECTRONIC REPORTING Subpart A—General Provisions Sec. 3.1 Who does this part apply to? 3.2 How does this part provide for electronic reporting? 3.3 What definitions are applicable to this part? E:\FR\FM\13OCR3.SGM 13OCR3 59880 3.4 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations How does this part affect enforcement and compliance provisions of Title 40? Subpart B—Electronic Reporting to EPA 3.10 What are the requirements for electronic reporting to EPA? 3.20 How will EPA provide notice of changes to the Central Data Exchange? Subpart C—[Reserved] Subpart D—Electronic Reporting under EPA-Authorized State, Tribe, and Local Programs 3.1000 How does a state, tribe, or local government revise or modify its authorized program to allow electronic reporting? 3.2000 What are the requirements authorized state, tribe, and local programs’ reporting systems must meet? Authority: 7 U.S.C. 136 to 136y; 15 U.S.C. 2601 to 2692; 33 U.S.C. 1251 to 1387; 33 U.S.C. 1401 to 1445; 33 U.S.C. 2701 to 2761; 42 U.S.C. 300f to 300j–26; 42 U.S.C. 4852d; 42 U.S.C. 6901–6992k; 42 U.S.C. 7401 to 7671q; 42 U.S.C. 9601 to 9675; 42 U.S.C. 11001 to 11050; 15 U.S.C. 7001; 44 U.S.C. 3504 to 3506. Subpart A—General Provisions § 3.1 Who does this part apply to? (a) This part applies to: (1) Persons who submit reports or other documents to EPA to satisfy requirements under Title 40 of the Code of Federal Regulations (CFR); and (2) States, tribes, and local governments administering or seeking to administer authorized programs under Title 40 of the CFR. (b) This part does not apply to: (1) Documents submitted via facsimile in satisfaction of reporting requirements as permitted under other parts of Title 40 or under authorized programs; or (2) Electronic documents submitted via magnetic or optical media such as diskette, compact disc, digital video disc, or tape in satisfaction of reporting requirements, as permitted under other parts of Title 40 or under authorized programs. (c) This part does not apply to any data transfers between EPA and states, tribes, or local governments as a part of their authorized programs or as a part of administrative arrangements between states, tribes, or local governments and EPA to share data. § 3.2 How does this part provide for electronic reporting? (a) Electronic reporting to EPA. Except as provided in § 3.1(b), any person who is required under Title 40 to create and submit or otherwise provide a document to EPA may satisfy this requirement with an electronic document, in lieu of a paper document, provided that: (1) He or she satisfies the requirements of § 3.10; and VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 (2) EPA has first published a notice in the Federal Register announcing that EPA is prepared to receive, in electronic form, documents required or permitted by the identified part or subpart of Title 40. (b) Electronic reporting under an EPAauthorized state, tribe, or local program. (1) An authorized program may allow any document submission requirement under that program to be satisfied with an electronic document provided that the state, tribe, or local government seeks and obtains revision or modification of that program in accordance with § 3.1000 and also meets the requirements of § 3.2000 for such electronic reporting. (2) A state, tribe, or local government that is applying for initial delegation, authorization, or approval to administer a federal program or a program in lieu of the federal program, and that will allow document submission requirements under the program to be satisfied with an electronic document, must use the procedures for obtaining delegation, authorization, or approval under the relevant part of Title 40 and may not use the procedures set forth in § 3.1000; but the application must contain the information required by § 3.1000(b)(1) and the state, tribe, or local government must meet the requirements of § 3.2000. (c) Limitations. This part does not require submission of electronic documents in lieu of paper. This part confers no right or privilege to submit data electronically and does not obligate EPA, states, tribes, or local governments to accept electronic documents. § 3.3 What definitions are applicable to this part? The definitions set forth in this section apply when used in this part. Acknowledgment means a confirmation of electronic document receipt. Administrator means the Administrator of the EPA. Agency means the EPA or a state, tribe, or local government that administers or seeks to administer an authorized program. Agreement collection certification means a signed statement by which a local registration authority certifies that a subscriber agreement has been received from a registrant; the agreement has been stored in a manner that prevents unauthorized access to these agreements by anyone other than the local registration authority; and the local registration authority has no basis to believe that any of the collected agreements have been tampered with or prematurely destroyed. PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 Authorized program means a Federal program that EPA has delegated, authorized, or approved a state, tribe, or local government to administer, or a program that EPA has delegated, authorized, or approved a state, tribe or local government to administer in lieu of a Federal program, under other provisions of Title 40 and such delegation, authorization, or approval has not been withdrawn or expired. Central Data Exchange means EPA’s centralized electronic document receiving system, or its successors, including associated instructions for submitting electronic documents. Chief Information Officer means the EPA official assigned the functions described in section 5125 of the Clinger Cohen Act (Pub. L. 104–106). Copy of record means a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: (1) All electronic signatures contained in or logically associated with that document; (2) The date and time of receipt; and (3) Any other information used to record the meaning of the document or the circumstances of its receipt. Disinterested individual means an individual who is not connected with the person in whose name the electronic signature device is issued. A disinterested individual is not any of the following: The person’s employer or employer’s corporate parent, subsidiary, or affiliate; the person’s contracting agent; member of the person’s household; or relative with whom the person has a personal relationship. Electronic document means any information in digital form that is conveyed to an agency or third-party, where ‘‘information’’ may include data, text, sounds, codes, computer programs, software, or databases. ‘‘Data,’’ in this context, refers to a delimited set of data elements, each of which consists of a content or value together with an understanding of what the content or value means; where the electronic document includes data, this understanding of what the data element content or value means must be explicitly included in the electronic document itself or else be readily available to the electronic document recipient. Electronic document receiving system means any set of apparatus, procedures, E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations software, records, or documentation used to receive electronic documents. Electronic signature means any information in digital form that is included in or logically associated with an electronic document for the purpose of expressing the same meaning and intention as would a handwritten signature if affixed to an equivalent paper document with the same reference to the same content. The electronic document bears or has on it an electronic signature where it includes or has logically associated with it such information. Electronic signature agreement means an agreement signed by an individual with respect to an electronic signature device that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from compromise; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature. Electronic signature device means a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual’s electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person. EPA means the United States Environmental Protection Agency. Existing electronic document receiving system means an electronic document receiving system that is being used to receive electronic documents in lieu of paper to satisfy requirements under an authorized program on October 13, 2005 or the system, if not in use, has been substantially developed on or before that date as evidenced by the establishment of system services or specifications by contract or other binding agreement. Federal program means any program administered by EPA under any other provision of Title 40. Federal reporting requirement means a requirement to report information directly to EPA under any other provision of Title 40. Handwritten signature means the scripted name or legal mark of an individual, handwritten by that individual with a marking-or writinginstrument such as a pen or stylus and executed or adopted with the present intention to authenticate a writing in a VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 permanent form, where ‘‘a writing’’ means any intentional recording of words in a visual form, whether in the form of handwriting, printing, typewriting, or any other tangible form. The physical instance of the scripted name or mark so created constitutes the handwritten signature. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other media. Information or objects of independent origin means data or items that originate from a disinterested individual or are forensic evidence of a unique, immutable trait which is (and may at any time be) attributed to the individual in whose name the device is issued. Local registration authority means an individual who is authorized by a state, tribe, or local government to issue an agreement collection certification, whose identity has been established by notarized affidavit, and who is authorized in writing by a regulated entity to issue agreement collection certifications on its behalf. Priority reports means the reports listed in Appendix 1 to part 3. Subscriber agreement means an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated. Transmit means to successfully and accurately convey an electronic document so that it is received by the intended recipient in a format that can be processed by the electronic document receiving system. Valid electronic signature means an electronic signature on an electronic document that has been created with an electronic signature device that the identified signatory is uniquely entitled to use for signing that document, where this device has not been compromised, and where the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and/ or his or her relationship to the entity on whose behalf the signature is executed. § 3.4 How does this part affect enforcement and compliance provisions of Title 40? (a) A person is subject to any applicable federal civil, criminal, or other penalties and remedies for failure to comply with a federal reporting requirement if the person submits an electronic document to EPA under this part that fails to comply with the provisions of § 3.10. (b) A person is subject to any applicable federal civil, criminal, or PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 59881 other penalties or remedies for failure to comply with a State, tribe, or local reporting requirement if the person submits an electronic document to a State, tribe, or local government under an authorized program and fails to comply with the applicable provisions for electronic reporting. (c) Where an electronic document submitted to satisfy a federal or authorized program reporting requirement bears an electronic signature, the electronic signature legally binds, obligates, and makes the signatory responsible, to the same extent as the signatory’s handwritten signature would on a paper document submitted to satisfy the same federal or authorized program reporting requirement. (d) Proof that a particular signature device was used to create an electronic signature will suffice to establish that the individual uniquely entitled to use the device did so with the intent to sign the electronic document and give it effect. (e) Nothing in this part limits the use of electronic documents or information derived from electronic documents as evidence in enforcement or other proceedings. Subpart B—Electronic Reporting to EPA § 3.10 What are the requirements for electronic reporting to EPA? (a) A person may use an electronic document to satisfy a federal reporting requirement or otherwise substitute for a paper document or submission permitted or required under other provisions of Title 40 only if: (1) The person transmits the electronic document to EPA’s Central Data Exchange, or to another EPA electronic document receiving system that the Administrator may designate for the receipt of specified submissions, complying with the system’s requirements for submission; and (2) The electronic document bears all valid electronic signatures that are required under paragraph (b) of this section. (b) An electronic document must bear the valid electronic signature of a signatory if that signatory would be required under Title 40 to sign the paper document for which the electronic document substitutes, unless EPA announces special provisions to accept a handwritten signature on a separate paper submission and the signatory provides that handwritten signature. § 3.20 How will EPA provide notice of changes to the Central Data Exchange? (a) Except as provided under paragraph (b) of this section, whenever E:\FR\FM\13OCR3.SGM 13OCR3 59882 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations EPA plans to change Central Data Exchange hardware or software in ways that would affect the transmission process, EPA will provide notice as follows: (1) Significant changes to CDX: Where the equipment, software, or services needed to transmit electronic documents to the Central Data Exchange would be changed significantly, EPA will provide public notice and seek comment on the change and the proposed implementation schedule through the Federal Register; (2) Other changes to CDX: EPA will provide notice of other changes to Central Data Exchange users at least sixty (60) days in advance of implementation. (3) De minimis or transparent changes to CDX: For de minimis or transparent changes that have minimal or no impact on the transmission process, EPA may provide notice if appropriate on a caseby-case basis. (b) Emergency changes to CDX: Any change which EPA’s Chief Information Officer or his or her designee determines is needed to ensure the security and integrity of the Central Data Exchange is exempt from the provisions of paragraph (a) of this section. However, to the extent consistent with ensuring the security and integrity of the system, EPA will provide notice for any change other than de minimis or transparent changes to the Central Data Exchange. Subpart C—[Reserved] Subpart D—Electronic Reporting Under EPA-Authorized State, Tribe, and Local Programs § 3.1000 How does a state, tribe, or local government revise or modify its authorized program to allow electronic reporting? (a) A state, tribe, or local government that receives or plans to begin receiving electronic documents in lieu of paper documents to satisfy requirements under an authorized program must revise or modify such authorized program to ensure that it meets the requirements of this part. (1) General procedures for program modification or revision: To revise or modify an authorized program to meet the requirements of this part, a state, tribe, or local government must submit an application that complies with paragraph (b)(1) of this section and must follow either the applicable procedures for program revision or modification in other parts of Title 40, or, at the applicant’s option, the procedures provided in paragraphs (b) through (e) of this section. VerDate Aug<31>2005 18:22 Oct 12, 2005 Jkt 208001 (2) Programs planning to receive electronic documents under an authorized program: A state, tribe, or local government that does not have an existing electronic document receiving system for an authorized program must receive EPA approval of revisions or modifications to such program in compliance with paragraph (a)(1) of this section before the program may receive electronic documents in lieu of paper documents to satisfy program requirements. (3) Programs already receiving electronic documents under an authorized program: A state, tribe, or local government with an existing electronic document receiving system for an authorized program must submit an application to revise or modify such authorized program in compliance with paragraph (a)(1) of this section no later than October 13, 2007. On a case-bycase basis, this deadline may be extended by the Administrator, upon request of the state, tribe, or local government, where the Administrator determines that the state, tribe, or local government needs additional time to make legislative or regulatory changes to meet the requirements of this part. (4) Programs with approved electronic document receiving systems: An authorized program that has EPA’s approval to accept electronic documents in lieu of paper documents must keep EPA apprised of those changes to laws, policies, or the electronic document receiving systems that have the potential to affect program compliance with § 3.2000. Where the Administrator determines that such changes require EPA review and approval, EPA may request that the state, tribe, or local government submit an application for program revision or modification; additionally, a state, tribe, or local government on its own initiative may submit an application for program revision or modification respecting their receipt of electronic documents. Such applications must comply with paragraph (a)(1) of this section. (5) Restrictions on the use of procedures in this section: The procedures provided in paragraphs (b) through (e) of this section may only be used for revising or modifying an authorized program to provide for electronic reporting and for subsequent revisions or modifications to the electronic reporting elements of an authorized program as provided under paragraph (a)(4) of this section. (b)(1) To obtain EPA approval of program revisions or modifications using procedures provided under this section, a state, tribe, or local government must submit an application PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 to the Administrator that includes the following elements: (i) A certification that the state, tribe, or local government has sufficient legal authority provided by lawfully enacted or promulgated statutes or regulations that are in full force and effect on the date of the certification to implement the electronic reporting component of its authorized programs covered by the application in conformance with § 3.2000 and to enforce the affected programs using electronic documents collected under these programs, together with copies of the relevant statutes and regulations, signed by the State Attorney General or his or her designee, or, in the case of an authorized tribe or local government program, by the chief executive or administrative official or officer of the governmental entity, or his or her designee; (ii) A listing of all the state, tribe, or local government electronic document receiving systems to accept the electronic documents being addressed by the program revisions or modifications that are covered by the application, together with a description for each such system that specifies how the system meets the applicable requirements in § 3.2000 with respect to those electronic documents; (iii) A schedule of upgrades for the electronic document receiving systems listed under paragraph (b)(1)(ii) of this section that have the potential to affect the program’s continued conformance with § 3.2000; and (iv) Other information that the Administrator may request to fully evaluate the application. (2) A state, tribe, or local government that revises or modifies more than one authorized program for receipt of electronic documents in lieu of paper documents may submit a consolidated application under this section covering more than one authorized program, provided the consolidated application complies with paragraph (b)(1) of this section for each authorized program. (3)(i) Within 75 calendar days of receiving an application for program revision or modification submitted under paragraph (b)(1) of this section, the Administrator will respond with a letter that either notifies the state, tribe, or local government that the application is complete or identifies deficiencies in the application that render the application incomplete. The state, tribe, or local government receiving a notice of deficiencies may amend the application and resubmit it. Within 30 calendar days of receiving the amended application, the Administrator will respond with a letter that either notifies the applicant that the amended E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations application is complete or identifies remaining deficiencies that render the application incomplete. (ii) If a state, tribe, or local government receiving notice of deficiencies under paragraph (b)(3)(i) of this section does not remedy the deficiencies and resubmit the subject application within a reasonable period of time, the Administrator may act on the incomplete application under paragraph (c) of this section. (c)(1) The Administrator will act on an application by approving or denying the state’s, tribe’s or local government’s request for program revision or modification. (2) Where a consolidated application submitted under paragraph (b)(2) of this section addresses revisions or modifications to more than one authorized program, the Administrator may approve or deny the request for revision or modification of each authorized program in the application separately; the Administrator need not take the same action with respect to the requested revisions or modifications for each such program. (3) When an application under paragraph (b) of this section requests revision or modification of an authorized public water system program under part 142 of this title, the Administrator will, in accordance with the procedures in paragraph (f) of this section, provide an opportunity for a public hearing before a final determination pursuant to paragraph (c)(1) of this section with respect to that component of the application. (4) Except as provided under paragraph (c)(4)(i) and (ii) of this section, if the Administrator does not take any action under paragraph (c)(1) of this section on a specific request for revision or modification of a specific authorized program addressed by an application submitted under paragraph (b) of this section within 180 calendar days of notifying the state, tribe, or local government under paragraph (b)(3) of this section that the application is complete, the specific request for program revision or modification for the specific authorized program is considered automatically approved by EPA at the end of the 180 calendar days unless the review period is extended at the request of the state, tribe, or local government submitting the application. (i) Where an opportunity for public hearing is required under paragraph (c)(3) of this section, the Administrator’s action on the requested revision or modification will be in accordance with paragraph (f) of this section. (ii) Where a requested revision or modification addressed by an VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 application submitted under paragraph (b) of this section is to an authorized program with an existing electronic document receiving system, and where notification under paragraph (b)(3) of this section that the application is complete is executed after October 13, 2007, if the Administrator does not take any action under paragraph (c)(1) of this section on the specific request for revision or modification within 360 calendar days of such notification, the specific request is considered automatically approved by EPA at the end of the 360 calendar days unless the review period is extended at the request of the state, tribe, or local government submitting the application. (d) Except where an opportunity for public hearing is required under paragraph (c)(3) of this section, EPA’s approval of a program revision or modification under this section will be effective upon publication of a notice of EPA’s approval of the program revision or modification in the Federal Register. EPA will publish such a notice promptly after approving a program revision or modification under paragraph (c)(1) of this section or after an EPA approval occurs automatically under paragraph (c)(4) of this section. (e) If a state, tribe, or local government submits material to amend its application under paragraph (b)(1) of this section after the date that the Administrator sends notification under paragraph (b)(3)(i) of this section that the application is complete, this new submission will constitute withdrawal of the pending application and submission of a new, amended application for program revision or modification under paragraph (b)(1) of this section, and the 180-day time period in paragraph (c)(4) of this section or the 360-day time period in paragraph (c)(4)(ii) of this section will begin again only when the Administrator makes a new determination and notifies the state, tribe, or local government under paragraph (b)(3)(i) of this section that the amended application is complete. (f) For an application under this section that requests revision or modification of an authorized public water system program under part 142 of this chapter: (1) The Administrator will publish notice of the Administrator’s preliminary determination under paragraph (c)(1) of this section in the Federal Register, stating the reasons for the determination and informing interested persons that they may request a public hearing on the Administrator’s determination. Frivolous or insubstantial requests for a hearing may be denied by the Administrator; PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 59883 (2) Requests for a hearing submitted under this section must be submitted to the Administrator within 30 days after publication of the notice of opportunity for hearing in the Federal Register. The Administrator will give notice in the Federal Register of any hearing to be held pursuant to a request submitted by an interested person or on the Administrator’s own motion. Notice of hearing will be given not less than 15 days prior to the time scheduled for the hearing; (3) The hearing will be conducted by a designated hearing officer in an informal, orderly, and expeditious manner. The hearing officer will have authority to take such action as may be necessary to assure the fair and efficient conduct of the hearing; and (4) After reviewing the record of the hearing, the Administrator will issue an order either affirming the determination the Administrator made under paragraph (c)(1) of this section or rescinding such determination and will promptly publish a notice of the order in the Federal Register. If the order is to approve the program revision or modification, EPA’s approval will be effective upon publication of the notice in the Federal Register. If no timely request for a hearing is received and the Administrator does not determine to hold a hearing on the Administrator’s own motion, the Administrator’s determination made under paragraph (c)(1) of this section will be effective 30 days after notice is published pursuant to paragraph (f)(1) of this section. § 3.2000 What are the requirements authorized state, tribe, and local programs’ reporting systems must meet? (a) Authorized programs that receive electronic documents in lieu of paper to satisfy requirements under such programs must: (1) Use an acceptable electronic document receiving system as specified under paragraphs (b) and (c) of this section; and (2) Require that any electronic document must bear the valid electronic signature of a signatory if that signatory would be required under the authorized program to sign the paper document for which the electronic document substitutes, unless the program has been approved by EPA to accept a handwritten signature on a separate paper submission. The paper submission must contain references to the electronic document sufficient for legal certainty that the signature was executed with the intention to certify to, attest to, or agree to the content of that electronic document. E:\FR\FM\13OCR3.SGM 13OCR3 59884 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations (b) An electronic document receiving system that receives electronic documents submitted in lieu of paper documents to satisfy requirements under an authorized program must be able to generate data with respect to any such electronic document, as needed and in a timely manner, including a copy of record for the electronic document, sufficient to prove, in private litigation, civil enforcement proceedings, and criminal proceedings, that: (1) The electronic document was not altered without detection during transmission or at any time after receipt; (2) Any alterations to the electronic document during transmission or after receipt are fully documented; (3) The electronic document was submitted knowingly and not by accident; (4) Any individual identified in the electronic document submission as a submitter or signatory had the opportunity to review the copy of record in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information and had the opportunity to repudiate the electronic document based on this review; and (5) In the case of an electronic document that must bear electronic signatures of individuals as provided under paragraph (a)(2) of this section, that: (i) Each electronic signature was a valid electronic signature at the time of signing; (ii) The electronic document cannot be altered without detection at any time after being signed; (iii) Each signatory had the opportunity to review in a humanreadable format the content of the electronic document that he or she was certifying to, attesting to or agreeing to by signing; (iv) Each signatory had the opportunity, at the time of signing, to review the content or meaning of the required certification statement, including any applicable provisions that false certification carries criminal penalties; (v) Each signatory has signed either an electronic signature agreement or a subscriber agreement with respect to the electronic signature device used to create his or her electronic signature on the electronic document; (vi) The electronic document receiving system has automatically responded to the receipt of the electronic document with an acknowledgment that identifies the electronic document received, including the signatory and the date and time of receipt, and is sent to at least one address that does not share the same access controls as the account used to make the electronic submission; and (vii) For each electronic signature device used to create an electronic signature on the document, the identity of the individual uniquely entitled to use the device and his or her relation to any entity for which he or she will sign electronic documents has been determined with legal certainty by the issuing state, tribe, or local government. In the case of priority reports identified in the table in Appendix 1 of Part 3, this determination has been made before the electronic document is received, by means of: (A) Identifiers or attributes that are verified (and that may be re-verified at any time) by attestation of disinterested individuals to be uniquely true of (or attributable to) the individual in whose name the application is submitted, based on information or objects of independent origin, at least one item of Category which is not subject to change without governmental action or authorization; or (B) A method of determining identity no less stringent than would be permitted under paragraph (b)(5)(vii)(A) of this section; or (C) Collection of either a subscriber agreement or a certification from a local registration authority that such an agreement has been received and securely stored. (c) An authorized program that receives electronic documents in lieu of paper documents must ensure that: (1) A person is subject to any appropriate civil, criminal penalties or other remedies under state, tribe, or local law for failure to comply with a reporting requirement if the person fails to comply with the applicable provisions for electronic reporting. (2) Where an electronic document submitted to satisfy a state, tribe, or local reporting requirement bears an electronic signature, the electronic signature legally binds or obligates the signatory, or makes the signatory responsible, to the same extent as the signatory’s handwritten signature on a paper document submitted to satisfy the same reporting requirement. (3) Proof that a particular electronic signature device was used to create an electronic signature that is included in or logically associated with an electronic document submitted to satisfy a state, tribe, or local reporting requirement will suffice to establish that the individual uniquely entitled to use the device at the time of signature did so with the intent to sign the electronic document and give it effect. (4) Nothing in the authorized program limits the use of electronic documents or information derived from electronic documents as evidence in enforcement proceedings. Appendix 1 to Part 3—Priority Reports Description 40 CFR Citation Required Reports State Implementation Plan .............. Excess Emissions and Monitoring Performance Report Compliance Notification Report. New Source Performance Standards Reporting Requirements. Semi-annual Operations and Corrective Action Reports. VerDate Aug<31>2005 16:26 Oct 12, 2005 Emissions data reports for mobile sources ........................................... Excess emissions and monitoring performance report detailing the magnitude of excess emissions, and provides the date, time, and system status at the time of the excess emission. Semi-annual reports (quarterly, if report is approved for electronic submission by the permitting authority) on sulfur dioxide, nitrous oxides and particulate matter emission (includes reporting requirements in Subparts A through DDDD). Semi-annual report provides information on a company’s exceedance of its sulfur dioxide emission rate, sulfur content of the fresh feed, and the average percent reduction and average concentration of sulfur dioxide. When emissions data is unavailable, a signed statement is required which documents the changes, if any, made to the emissions control system that would impact the company’s compliance with emission limits. Jkt 208001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:\FR\FM\13OCR3.SGM 51.60(c). 60.7(c), 60.7(d). 60.49a(e) & (j) & (v), 60.49b(v). 60.107(c), 60.107(d). 13OCR3 59885 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations Category Description 40 CFR Citation National Emission Standards for Hazardous Air Pollutants Reporting Requirements. Include such reports as: Annual compliance, calculation, initial startup, compliance status, certifications of compliance, waivers from compliance certifications, quarterly inspection certifications, operations, and operations and process change. Hazardous Air Pollutants Compliance Report. Reports containing results from performance test, opacity tests, and visible emissions tests. Progress reports; periodic and immediate startup, shutdown, and malfunction reports; results from continuous monitoring system performance evaluations; excess emissions and continuous monitoring system performance report; or summary report. Reports that document a facility’s initial compliance status, notification of initial start-up, and periodic reports which includes the startup, shutdown, and malfunction reports discussed in 40 CFR 65.6(c). Quarterly emissions monitoring reports and opacity reports which document a facility’s excess emission. Registration of new fuels and additives, and the submission and certification of health effect data. 61.11, 61.24(a)(3) & (a)(8), 61.70(c)(1) & (c)(2)(v) & (c)(3) & (c)(4)(iv), 61.94(a) & (b)(9), 61.104(a) & (a)(1)(x) & (a)(1)(xi) & (a)(1)(xvi), 61.138(e) & (f), 61.165(d)(2) & (d)(3) & (d)(4) & (f)(1) & (f)(2) &(f)(3), 61.177(a)(2) & (c)(1) & (c)(2) & (c)(3) & (e)(1) & (e)(3), 61.186(b)(1) & (b)(2) & (b)(3) & (c)(1) & (f)(1), 61.247(a)(1) & (a)(4) & (a)(5)(v) & (b)(5) & (d), 61.254(a)(4), 61.275(a) & (b) & (c), 61.305(f) & (i), 61.357(a) & (b) & (c) & (d), 63.9(h). 63.10(d), 63.10(e)(1), 63.10(e)(3). Notifications and Reports ................ Continuous Emissions Monitoring ... Notice of Fuel or Fuel Additive Registration and Health Effects Testing. Manufacture In-Use and Product Line Emissions Testing. Industrial and Publicly Owned Treatment Works Reports. Reports that document the emissions testing results generated from the in-use testing program for new and in-use highway vehicle ignition engines; non-road spark-ignition engines; marine spark-ignition engines; and locomotives and locomotive engines. Discharge monitoring reports for all individual permittees—including baseline reports, pretreatment standards report, periodic compliance reports, and reports made by significant industrial users. 65.5(d), 65.5(e). 75.64, 75.65. 79.10, 79.11, 79.20, 79.21, 79.51. 86.1845, 86.1846, 86.1847, 90.113, 90.1205, 90.704, 91.805, 91.504, 92.607, 92.508, 92.509. 122.41(l)(4)(i), 403.12(b) & (d) & (e) & (h). Event Driven Notices State Implementation Plan .............. Report For Initial Performance Test Emissions Control Report ............... State Operating Permits—Permit Content. Title V Permits—Permit Content ..... Annual Export Report ...................... Exceptions Reports ......................... Contingency Plan Implementation Reports. Significant Report. Manifest Discrepancy Unmanifested Waste Report ........... Noncompliance Report .................... VerDate Aug<31>2005 16:26 Oct 12, 2005 Owners report emissions data from stationary sources ........................ Report that provides the initial performance test results, site-specific operating limits, and, if installed, information on the bag leak detection device used by the facility. Report submitted by new sources within 90 days of set-up which describes emission control equipment used, processes which generate asbestos-containing waste material, and disposal information. Monitoring and deviation reports under the State Operating Permit .... 51.211. 60.2200 (initial performance tests). Monitoring and deviation reports under the Federal Operating Permit Annual report summarizing the amount and type of hazardous waste exported. Reports submitted by a generator when the generator has not received confirmation from the Treatment, Storage, and Disposal Facility (TSDF) that it received the generator’s waste and when hazardous waste shipment was received by the TSDF. For exports, reports submitted when the generator has not received a copy of the manifest from the transporter with departure date and place of export indicated; and confirmation from the consignee that the hazardous waste was received or when the hazardous waste is returned to the U.S. Follow-up reports made to the Agency for all incidents noted in the operating record which required the implementation of a facility’s contingency plan. Report filed by Treatment, Storage, and Disposal Facilities (TSDF) within 15 days of receiving wastes, when the TSDF is unable to resolve manifest discrepancies with the generator. Report that documents hazardous waste received by a Treatment, Storage, and Disposal Facility without an accompanying manifest. An owner/operator submitted report which documents hazardous waste that was placed in hazardous waste management units in noncompliance with 40 CFR sections 264.1082(c)(1) and (c)(2); 264.1084(b); 264.1035(c)(4); or 264.1033(d). 71.6(a)(3)(iii). 262.56(a). Jkt 208001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 E:\FR\FM\13OCR3.SGM 61.153(a)(1), 61.153(a)(5)(ii). 61.153(a)(4)(i), 70.6(a)(3)(iii)(A), 70.6(a)(3)(iii)(B). 262.42, 262.55. 264.56(j), 265.56(j). 264.72(b), 265.72(b). 264.76, 265.76. 264.1090. 13OCR3 59886 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations Category Description Notification—Low Level Mixed Waste. Notification—Land Disposal Restrictions. Underground Storage Tank Notification. One-time notification concerning transportation and disposal of conditionally exempted waste. One-time notification and certification that characteristic waste is no longer hazardous. Underground Storage Tank system notifications concerning design, construction, and installation. As well as when systems are being placed in operation. (EPA Form 7530–1 or state version.). Report written and submitted within 45 days after confirming a free product release, including information on the release and recovery methods used for the free product, and when test indicate presence of free product, response measures. Premanufacture notification of intent to begin manufacturing, importing, or processing chemicals identified in Subpart E for significant new use (forms 7710–56 and 7710–25). Free Product Removal Report and Subsequent Investigation Report. Manufacture or Import Premanufacture Notification. 40 CFR Citation 266.345. 268.9(d). 280.22. 280.64, 280.65. 720.102, 721.25. Permit Applications 1 State Implementation Plan .............. State Operating Permits .................. Title V Permits—Permit Content ..... Title V Permits ................................. Reclaimer Certification .................... Application for Certification Statement of Compliance. and Application for Certification ............. National Pollutant Discharge Elimination System. Resource Conservation and Recovery Act Permit Applications and Modifications. Information describing the source, its construction schedule, and the planned continuous emissions reductions system. Reports, notices, or other written submissions required by a State Operating Permit. Reports, notices, or other written submissions required by a Title V Operating Permit. Specific criteria for permit modifications and or revisions, including a certification statement by a responsible official. Certification made by a reclaimer that the refrigerant was reprocessed according to specifications and that no more than 1.5% of the refrigerant was released during the reclamation. Control of Emissions for New and In-Use Highway Vehicles and Engines statement of compliance made by manufacturer, attesting that the engine family complies with standards for new and in-use highway vehicles and engines. Application made by engine manufacturer to obtain certificate of conformity. National Pollutant Discharge Elimination System (NPDES) Permits and Renewals (includes individual permit applications, NPDES General Form 1, and NPDES Forms 2A–F, and 2S). Signatures for permit applications and reports; submission of permit modifications. (This category excludes Class I permit modifications (40 CFR 270.42, Appendix I) that do not require prior approval). 52.21(n). 70.6(c)(1). 71.6(c)(1), 71.25(c)(1). 71.7(e(2)(ii)(c). 82.164. 86.007–21 (heavy duty), 1844–01 (light duty). 89.115, 90.107, 91.107, 92.203, 94.203. 122.21. 270.11, 270.42. Certifications of Compliance/Non-Applicability State Implementation Plan Requirements. Certification Statement .................... Title V Permits ................................. State Operating Permits .................. Annual and Other Compliance Certification Reports. Annual Compliance Certification Report, Opt-In Report, and Confirmation Report. Quarterly Reports and Compliance Certifications. Certification Letters Recovery and Recycling Equipment, Motor Vehicle Air Conditioners Recycling Program, Detergent Package. Response Plan Cover Sheet .......... Closure Report ................................ Certification of Closure and Post Closure Care, Post-Closure Notices. Certification of Testing Lab Analysis VerDate Aug<31>2005 18:22 Oct 12, 2005 State implementation plan certifications for testing, inspection, enforcement, and continuous emissions monitoring. Chemical Accident Prevention Provisions—Risk Management Plan certification statements. Federal compliance certifications and permit applications .................... State compliance certifications and permit applications ....................... Annual compliance certification report and is submitted by units subject to acid rain emissions limitations. Annual compliance certification report which is submitted in lieu of annual compliance certification report listed in Subpart I of Part 72. 51.212(c), 51.214(e). Continuous Emission Monitoring certifications, monitoring plans, and quarterly reports for NOX emissions. Protection of Stratospheric Ozone: Recycling & Emissions Reduction. Acquisition of equipment for recovery or recycling made by auto repair service technician and Fuels and Fuel Additives Detergent additive certification. Oil Pollution Prevention certification to the truth and accuracy of information. Report which documents that closure was in accordance with closure plan and/or details difference between actual closure and the procedures outlined in the closure plan. Certification that Treatment, Storage, and Disposal Facilities (TSDF) are closed in accordance with approved closure plan or post-closure plan. Certification that the testing and/or lab analyses required for the treatment demonstration phase of a two-phase permit was conducted. 75.73. Jkt 208001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 E:\FR\FM\13OCR3.SGM 68.185. 70.5(c)(9), 70.5(d), 70.6(c)(5). 71.5(c)(9), 71.5(d), 71.24(f). 72.90. 74.43. 79.4, 80.161, 82.162, 82.42. 112 (Appendix f). 146.71. 264.115, 264.119, 264.119(b)(2), 264.120, 265.115, 265.119(b)(2), 265.120, 265.19. 270.63. 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations Category Description Periodic Certification ....................... Certification that facility is operating its system to provide equivalent treatment as in initial certification. 59887 40 CFR Citation 437.41(b). 1 Included within each permit application category, though sometimes not listed, are the permits submitted to run/operate/maintain facilities and/or equipment/products under EPA or authorized programs. PART 9—OMB APPROVALS UNDER THE PAPERWORK REDUCTION ACT 1. The authority citation for part 9 continues to read as follows: I Authority: 7 U.S.C. 135 et seq., 136–136y; 15 U.S.C. 2001, 2003, 2005, 2006, 2601–2671; 21 U.S.C. 331j, 346a, 31 U.S.C. 9701; 33 U.S.C. 125l et seq., 1311, 1313d, 1314, 1318, 1321, 1326, 1330, 1342, 1344, 1345 (d) and (e), 1361; E.O. 11735, 38 FR 21243, 3 CFR, 1971–1975 Comp. p. 973; 42 U.S.C. 241, 242b, 243, 246, 300f, 300g, 300g-1, 300g-2, 300g-3, 300g-4, 300g-5, 300g-6, 300j-1, 300j2, 300j-3, 300j-4, 300j-9, 1857 et seq., 6901– 6992k, 7401–7671q, 7542, 9601–9657, 11023, 11048. 2. Section 9.1 is amended by adding a new entry in numerical order for part 3 to read as follows: I § 9.1 OMB approvals under the Paperwork Reduction Act. * * * * * 40 CFR citation OMB Control No. 2. Section 60.25(b)(1) is amended by adding a sentence to the end of the paragraph to read as follows: I § 60.25 Emission inventories, source surveillance, reports. * * * * * (b)(1) * * * Submission of electronic documents shall comply with the requirements of 40 CFR part 3— (Electronic reporting). * * * * * PART 63—NATIONAL EMISSION STANDARDS FOR HAZARDOUS AIR POLLUTANTS FOR SOURCE CATEGORIES 1. The authority citation for part 63 continues to read as follows: I Authority: 42 U.S.C. 7401 et seq. 2. Section 63.91 is amended by adding a new paragraph (d)(5)to read as follows: I § 63.91 Criteria for straight delegation and criteria common to all approved options. * * * * * * * * * * (d) * * * (5) Electronic documents. Submission Cross-Media Electronic Reporting of electronic documents shall comply with the requirements of 40 CFR part Part 3 ........................................ 2025–0003 3—(Electronic reporting). * * * * * * * * * * PART 69—SPECIAL EXEMPTIONS FROM REQUIREMENTS OF THE CLEAN AIR ACT PART 51—REQUIREMENTS FOR PREPARATION, ADOPTION, AND SUBMITTAL OF IMPLEMENTATION PLANS 1. The authority citation for part 69 continues to read as follows: I 1. The authority citation for part 51 continues to read as follows: I Authority: 23 U.S.C. 101; 42 U.S.C. 7401– 7671q. Electronic reporting. PART 60—STANDARDS OF PERFORMANCE FOR NEW STATIONARY SOURCES 1. The authority citation for part 60 continues to read as follows: I Authority: 42 U.S.C. 7401–7601. 16:26 Oct 12, 2005 Jkt 208001 Title V conditional exemption. * * * * * (b) * * * (1) * * * (v) If the program chooses to accept electronic documents it must satisfy the requirements of 40 CFR Part 3— (Electronic reporting). * * * * * PART 70—STATE OPERATING PERMIT PROGRAMS 1. The authority citation for part 70 continues to read as follows: I Authority: 42 U.S.C. 7401, et seq. 2. Section 70.1 is amended by adding a new paragraph (f) to read as follows: I § 70.1 Program overview. * * * * * (f) States that choose to receive electronic documents must satisfy the requirements of 40 CFR Part 3— (Electronic reporting) in their program. PART 71—FEDERAL OPERATING PERMIT PROGRAMS 1. The authority citation for part 71 continues to read as follows: I Authority: 42 U.S.C. 7401, et seq. 2. Section 69.13 is amended by adding a new paragraph (b)(1)(v) to read as follows: I § 71.10 I Title V conditional exemption. 2. Section 71.10 is amended by adding a new sentence to the end of paragraph (a) to read as follows: Delegation of part 71 program. * * * * (b) * * * (1) * * * (v) If the program chooses to accept electronic documents it must satisfy the requirements of 40 CFR Part 3— (Electronic reporting). * * * * * I 3. Section 69.22 is amended by adding a new paragraph (b)(1)(v) to read as follows: (a) * * * Delegate agencies that choose to receive electronic documents as part of their delegated program must satisfy the requirements of 40 CFR Part 3— (Electronic reporting). * * * * * § 69.22 States that wish to receive electronic documents must revise the State Implementation Plan to satisfy the requirements of 40 CFR Part 3— (Electronic reporting). VerDate Aug<31>2005 § 69.32 § 69.13 2. Section 51.286 is added to Subpart O to read as follows: I § 51.286 Authority: 42 U.S.C. 7545(c), (g) and (i), and 7625–1. (b) * * * (1) * * * (v) If the program chooses to accept electronic documents it must satisfy the requirements of 40 CFR Part 3— (Electronic reporting). * * * * * I 4. Section 69.32 is amended by adding a new paragraph (b)(1)(v) to read as follows: Authority: Clean Water Act, 33 U.S.C. 1251 et seq. * * PO 00000 * Title V conditional exemption. * Frm 00041 * Fmt 4701 * Sfmt 4700 PART 123—STATE PROGRAM REQUIREMENTS 1. The authority citation for part 123 continues to read as follows: I E:\FR\FM\13OCR3.SGM 13OCR3 59888 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations 2. Section 123.25 is amended by revising paragraphs (a)(44) and (a)(45), adding the phrase ‘‘Except for paragraph (a)(46) of this section,’’ at the beginning of the Note to paragraph (a), and adding a new paragraph (a)(46) to read as follows: (33) For states that wish to receive electronic documents, 40 CFR Part 3— (Electronic reporting). * * * * * § 123.25 I I Requirements for permitting. (a) * * * (44) § 122.35 (As an operator of a regulated small MS4, may I share the responsibility to implement the minimum control measures with other entities?); (45) § 122.36 (As an operator of a regulated small MS4, what happens if I don’t comply with the application or permit requirements in §§ 122.33 through 122.35?); and (46) For states that wish to receive electronic documents, 40 CFR Part 3— (Electronic reporting). * * * * * PART 142—NATIONAL PRIMARY DRINKING WATER REGULATIONS IMPLEMENTATION 1. The authority citation for part 142 continues to read as follows: I Authority: 42 U.S.C. 300f, 300g-1, 300g-2, 300g-3, 300g-4, 300g-5, 300g-6, 300j-4, 300j9, and 300j-11. 2. Section 142.10 is amended by redesignating paragraph (g) as paragraph (h) and by adding a new paragraph (g) to read as follows: I § 142.10 Requirements for a determination of primary enforcement responsibility. * * * * * (g) Has adopted regulations consistent with 40 CFR Part 3—(Electronic reporting) if the state receives electronic documents. * * * * * PART 145—REQUIREMENTS FOR STATE PROGRAMS 1. The authority citation for part 145 continues to read as follows: I § 145.11 Requirements for permitting. (a) * * * (30) Section 124.12(a)—(Public hearings); (31) Section 124.17 (a) and (c)— (Response to comments); (32) Section 144.88—(What are the additional requirements?); and VerDate Aug<31>2005 16:26 Oct 12, 2005 Jkt 208001 Authority: 33 U.S.C. 1345(d) and (e); 42 U.S.C. 6902(a), 6907, 6912(a), 6944, 6945(c) and 6949a(c). 1. The authority citation for part 162 continues to read as follows: I Authority: 7 U.S.C. 136v, 136w. 2. Section 162.153 is amended by adding a paragraph (a)(6) to read as follows: I § 162.153 State registration procedures. (a) * * * (6) Electronic Reporting under State Registration of Pesticide Products for Special Local Needs. States that choose to receive electronic documents under the regulations pertaining to state registration of pesticides to meet special local needs, must ensure that the requirements of 40 CFR Part 3— (Electronic reporting) are satisfied by their state procedures for such registrations. * * * * * PART 233—404 STATE PROGRAM REGULATIONS 1. The authority citation for part 233 continues to read as follows: I Authority: 33 U.S.C. 1251 et seq. 2. A new § 233.39 is added to Subpart D to read as follows: I § 233.39 Electronic reporting. States that choose to receive electronic documents must satisfy the requirements of 40 CFR Part 3— (Electronic reporting) in their state program. PART 257—CRITERIA FOR CLASSIFICATION OF SOLID WASTE DISPOSAL FACILITIES AND PRACTICES 1. The authority citation for part 257 continues to read as follows: 2. Section 145.11 is amended by revising paragraphs (a)(30), (a)(31), (a)(32), and adding paragraph (a)(33) to read as follows: I 1. The authority citation for part 258 continues to read as follows: I PART 162—STATE REGISTRATION OF PESTICIDE PRODUCTS I Authority: 42 U.S.C. 300f et seq. PART 258—CRITERIA FOR MUNICIPAL SOLID WASTE LANDFILLS Authority: 42 U.S.C. 6907(a)(3), 6912(a)(1), 6944(a) and 6949(c), 33 U.S.C. 1345(d) and (e). 2. Section 257.30 is amended by adding a new paragraph (d) to read as follows: I § 257.30 Recordkeeping requirements. * * * * * (d) The Director of an approved state program may receive electronic documents only if the state program includes the requirements of 40 CFR Part 3—(Electronic reporting). PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 2. Section 258.29 is amended by adding a new paragraph (d) to read as follows: § 258.29 Recordkeeping requirements. * * * * * (d) The Director of an approved state program may receive electronic documents only if the state program includes the requirements of 40 CFR Part 3—(Electronic reporting). PART 271—REQUIREMENTS FOR AUTHORIZATION OF STATE HAZARDOUS WASTE PROGRAMS 1. The authority citation for part 271 continues to read as follows: I Authority: 42 U.S.C. 6905, 6912 and 6926. 2. Section 271.10 is amended by revising paragraph (b) to read as follows: I § 271.10 Requirements for generators of hazardous waste. * * * * * (b) The State shall have authority to require and shall require all generators to comply with reporting and recordkeeping requirements equivalent to those under 40 CFR 262.40 and 262.41. States must require that generators keep these records at least 3 years. States that choose to receive electronic documents must include the requirements of 40 CFR Part 3— (Electronic reporting) in their Program (except that states that choose to receive electronic manifests and/or permit the use of electronic manifests must comply with any applicable requirements for e-manifest in this section of this section). * * * * * I 3. Section 271.11 is amended by revising paragraph (b) to read as follows: § 271.11 Requirements for transporters of hazardous waste. * * * * * (b) The State shall have authority to require and shall require all transporters to comply with reporting and recordkeeping requirements equivalent to those under 40 CFR 263.22. States must require that transporters keep these records at least 3 years. States that choose to receive electronic documents must include the requirements of 40 CFR Part 3—(Electronic reporting) in their Program (except that states that choose to receive electronic manifests E:\FR\FM\13OCR3.SGM 13OCR3 Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / Rules and Regulations and/or permit the use of electronic manifests must comply with any applicable requirements for e-manifest in this section of this section). * * * * * I 4. Section 271.12 is amended by revising paragraph (h) to read as follows: § 271.12 Requirements for hazardous waste management facilities. * * * * * (h) Inspections, monitoring, recordkeeping, and reporting. States that choose to receive electronic documents must include the requirements of 40 CFR Part 3—(Electronic reporting) in their Program (except that states that choose to receive electronic manifests and/or permit the use of electronic manifests must comply with paragraph (i) of this section); * * * * * PART 281—APPROVAL OF STATE UNDERGROUND STORAGE TANK PROGRAMS 1. The authority citation for part 281 continues to read as follows: Authority: 42 U.S.C. 6912, 6991 (c), (d), (e), (g). 2. Section 281.40 is amended by revising paragraph (d) to read as follows: I § 281.40 Requirements for compliance monitoring program and authority. * * * * * (d) State programs must have procedures for receipt, evaluation, retention and investigation of records and reports required of owners or operators and must provide for enforcement of failure to submit these records and reports. States that choose to receive electronic documents must include the requirements of 40 CFR Part 3—(Electronic reporting) in their state program. * * * * * PART 403—GENERAL PRETREATMENT REGULATIONS FOR EXISTING AND NEW SOURCES OF POLLUTION 1. The authority citation for part 403 continues to read as follows: I 2. Section 403.8 is amended by adding a new paragraph (g) to read as follows: * * * * * (g) A POTW that chooses to receive electronic documents must satisfy the VerDate Aug<31>2005 19:07 Oct 12, 2005 Jkt 208001 * * * * * (r) The Control Authority that chooses to receive electronic documents must satisfy the requirements of 40 CFR Part 3—(Electronic reporting). PART 501—STATE SLUDGE MANAGEMENT PROGRAM REGULATIONS 1. The authority citation for part 501 continues to read as follows: I Authority: 33 U.S.C. 1251 et seq. 2. Section 501.15 is amended by adding a new paragraph (a)(4) to read as follows: I Requirements for permitting. (a) * * * (4) Information requirements: All treatment works treating domestic sewage shall submit to the Director within the time frames established in paragraph (d)(1)(ii) of this section the information listed in paragraphs (a)(4)(i) through (xii) of this section. The Director of an approved state program that chooses to receive electronic documents must satisfy the requirements of 40 CFR part 3— (Electronic reporting). * * * * * PART 745—LEAD-BASED PAINT POISONING PREVENTION IN CERTAIN RESIDENTIAL STRUCTURES 1. The authority citation for part 745 continues to read as follows: I Authority: 15 U.S.C. 2605, 2607, 2681– 2692 and 42 U.S.C. 4852d. 2. Section 745.327 is amended by adding a new paragraph (f) to read as follows: I § 745.327 State or Indian Tribal lead-based paint compliance and enforcement programs. * Authority: 33 U.S.C. 1251 et seq. § 403.8 Pretreatment Program Requirements: Development and Implementation by POTW. § 403.12 Reporting requirements for POTW’s and industrial users. § 501.15 I I requirements of 40 CFR Part 3— (Electronic reporting). I 3. Section 403.12 is amended by adding a new paragraph (r) to read as follows: * * * * (f) Electronic reporting under State or Indian Tribe programs. States and tribes that choose to receive electronic documents under the authorized state or Indian tribe lead-based paint program, must ensure that the requirements of 40 CFR part 3—(Electronic reporting) are satisfied in their lead-based paint program. PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 59889 PART 763—ASBESTOS 1. The authority citation for part 763 continues to read as follows: I Authority: 15 U.S.C. 2605, 2607(c), 2643, and 2646. 2. Section 763.98 is amended by revising paragraphs (a)(1), (b)(3), and (d)(3) to read as follows: I § 763.98 Waiver; delegation to state. (a) General. (1) Upon request from a state Governor and after notice and comment and an opportunity for a public hearing in accordance with paragraphs (b) and (c) of this section, EPA may waive some or all of the requirements of this subpart E if the state has established and is implementing or intends to implement a program of asbestos inspection and management that contains requirements that are at least as stringent as the requirements of this subpart. In addition, if the state chooses to receive electronic documents, the state program must include, at a minimum, the requirements of 40 CFR part 3— (Electronic reporting). * * * * * (b) * * * (3) Detailed reasons, supporting papers, and the rationale for concluding that the state’s asbestos inspection and management program provisions for which the request is made are at least as stringent as the requirements of Subpart E of this part, and that, if the state chooses to receive electronic documents, the state program includes, at a minimum, the requirements of 40 CFR part 3—(Electronic reporting). * * * * * (d) * * * (3) The state has an enforcement mechanism to allow it to implement the program described in the waiver request and any electronic reporting requirements are at least as stringent as 40 CFR part 3—(Electronic reporting). * * * * * I 3. Appendix C to subpart E of part 763 is amended by adding paragraph (I) to section I to read as follows: Appendix C to Subpart E of Part 763— Asbestos Model Accreditation Plan I. Asbestos Model Accreditation Plan for States * * * * * (I) Electronic Reporting. States that choose to receive electronic documents must include, at a minimum, the requirements of 40 CFR Part 3—(Electronic reporting) in their programs. * * * * * [FR Doc. 05–19601 Filed 10–12–05; 8:45 am] BILLING CODE 6560–50–P E:\FR\FM\13OCR3.SGM 13OCR3

Agencies

[Federal Register Volume 70, Number 197 (Thursday, October 13, 2005)]
[Rules and Regulations]
[Pages 59848-59889]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-19601]



[[Page 59847]]

-----------------------------------------------------------------------

Part III





Environmental Protection Agency





-----------------------------------------------------------------------



40 CFR Parts 3, 9, 51 et al.



Cross-Media Electronic Reporting; Final Rule

Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / 
Rules and Regulations

[[Page 59848]]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

40 CFR Parts 3, 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233, 
257, 258, 271, 281, 403, 501, 745 and 763

[FRL-7977-1]
RIN 2025-AA07


Cross-Media Electronic Reporting

AGENCY: Environmental Protection Agency (EPA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: EPA is establishing the framework by which it will accept 
electronic reports from regulated entities in satisfaction of certain 
document submission requirements in EPA's regulations. EPA will provide 
public notice when the Agency is ready to receive direct submissions of 
certain documents from regulated entities in electronic form consistent 
with this rulemaking via an EPA electronic document receiving system. 
This rule does not mandate that regulated entities utilize electronic 
methods to submit documents in lieu of paper-based submissions. In 
addition, EPA is not taking final action on the electronic 
recordkeeping requirements at this time.
    States, tribes, and local governments will be able to seek EPA 
approval to accept electronic documents to satisfy reporting 
requirements under environmental programs that EPA has delegated, 
authorized, or approved them to administer. This rule includes 
performance standards against which a state's, tribe's, or local 
government's electronic document receiving system will be evaluated 
before EPA will approve changes to the delegated, authorized, or 
approved program to provide electronic reporting, and establishes a 
streamlined process that states, tribes, and local governments can use 
to seek and obtain such approvals.

DATES: This rule shall become effective January 11, 2006.

ADDRESSES: The public record for this rulemaking has been established 
under docket number OEI-2003-0001 and is located in the EPA Docket 
Center, (EPA/DC) EPA West, Room B102, 1301 Constitution Ave., NW., 
Washington, DC. The EPA Docket Center Public Reading Room is open from 
8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal 
holidays. (See SUPPLEMENTARY INFORMATION below.)

FOR FURTHER INFORMATION CONTACT: For general information on this final 
rule, contact the docket above. For more detailed information on 
specific aspects of this rulemaking, contact David Schwarz (2823T), 
Office of Environmental Information, U.S. Environmental Protection 
Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-
1704, schwarz.david@epa.gov, or Evi Huffer (2823T), Office of 
Environmental Information, U.S. Environmental Protection Agency, 1200 
Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-1697, 
huffer.evi@epa.gov.

SUPPLEMENTARY INFORMATION:

General Information

A. Affected Entities

    This rule will potentially affect states, tribes, and local 
governments that have been delegated, authorized, or approved, or which 
seek delegation, authorization, or approval to administer a federal 
environmental program under Title 40 of the Code of Federal Regulations 
(CFR). For purposes of this rulemaking, the term ``state'' includes the 
District of Columbia and the United States territories, as specified in 
the applicable statutes. That is, the term ``state'' includes the 
District of Columbia, the Commonwealth of Puerto Rico, the Virgin 
Islands, Guam, American Samoa, the Commonwealth of Northern Marina 
Islands, and the Trust Territory of the Pacific Islands, depending on 
the statute.
    The rule will also potentially affect private parties subject to 
any requirements in Title 40 of the CFR that require a document to be 
submitted to EPA. Affected Entities include, but are not necessarily 
limited to:

------------------------------------------------------------------------
                                                Examples of affected
                 Category                             entities
------------------------------------------------------------------------
Local government..........................  Publicly owned treatment
                                             works, owners and operators
                                             of treatment works treating
                                             domestic sewage, local and
                                             regional air boards, local
                                             and regional waste
                                             management authorities, and
                                             municipal and other
                                             drinking water authorities.
Private...................................  Industry owners and
                                             operators, waste
                                             transporters, privately
                                             owned treatment works or
                                             other treatment works
                                             treating domestic sewage,
                                             privately owned water
                                             works, small businesses of
                                             various kinds, sponsors
                                             such as laboratories that
                                             submit or initiate/support
                                             studies, and testing
                                             facilities that both
                                             initiate and conducts
                                             studies.
Tribe and State governments...............  States, tribes or
                                             territories that administer
                                             any federal environmental
                                             programs delegated,
                                             authorized, or approved by
                                             EPA under Title 40 of the
                                             CFR.
Federal government........................  Federally owned treatment
                                             works and industrial
                                             dischargers, and federal
                                             facilities subject to
                                             hazardous waste regulation.
------------------------------------------------------------------------

    This table is not intended to be exhaustive, but rather provides a 
guide for readers regarding entities likely to be affected by this 
action. This table lists the types of entities that EPA is now aware 
can potentially be affected by this action. Other types of entities not 
listed in the table can also be affected. If you have questions 
regarding the applicability of this action to a particular entity, 
consult the person listed in the preceding FOR FURTHER INFORMATION 
CONTACT section.

B. How Can I Get Copies of This Document and Other Related Information?

    1. Docket. EPA has established an official public docket for this 
action under Docket ID No. OEI-2003-0001. The official public docket 
consists of the documents specifically referenced in this action, any 
public comments received, and other information related to this action. 
Although a part of the official docket, the public docket does not 
include Confidential Business Information (CBI) or other information 
whose disclosure is restricted by statute. The official public docket 
is the collection of materials that is available for public viewing at 
the Cross-Media Electronic Reporting Rule (CROMERR) Docket in the EPA 
Docket Center (EPA/DC), EPA West, Room B102, 1301 Constitution Ave., 
NW., Washington, DC. The EPA Docket Center Public Reading Room is open 
from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal 
holidays. The telephone number for the Public Reading Room is (202) 
566-1744, and the telephone number for the Office of Environmental 
Information Docket is (202) 566-1752. You may have to pay a reasonable 
fee for copying.
    An electronic version of the public docket is available through 
EPA's

[[Page 59849]]

electronic public docket and comment system, EDOCKET. You may use 
EDOCKET at https://www.epa.gov/edocket/ to view public comments, access 
the index listing of the contents of the official public docket, and to 
access those documents in the public docket that are available 
electronically. Although not all docket materials may be available 
electronically, you may still access any of the publicly available 
docket materials. After selecting the ``Using EDOCKET'' icon, select 
``quick search,'' then key in the appropriate docket identification 
number. Double click on the document identification number to bring up 
the docket contents.
    2. Electronic Access. You may access this Federal Register document 
electronically through the EPA Internet under the ``Federal Register'' 
listings at https://www.epa.gov/fedrgstr/.

Organization of This Document

    Information in this Preamble is organized as follows:
I. Overview
    A. Why does the Agency seek to provide electronic alternatives 
to paper-based reporting and recordkeeping?
    B. What does the electronic reporting rule do?
    C. What is the status of the proposed electronic recordkeeping 
provisions?
    D. How were stakeholders consulted during the development of 
today's final rule?
    E. What alternatives to today's final rule did EPA consider?
II. Background
    A. What has been EPA's electronic reporting policy?
    B. How does today's final rule change EPA's electronic reporting 
policy?
III. Scope of the Electronic Reporting Rule
    A. Who may submit electronic documents?
    B. Which documents can be filed electronically?
    C. How does this final rule implement electronic reporting?
IV. Major Changes from Proposed Electronic Reporting Provisions
    A. How does the rule streamline the approval of electronic 
reporting under authorized state, tribe, and local government 
programs?
    1. Review of the proposal
    2. Comments on the proposal
    3. Revisions in the final rule
    B. How has EPA revised the requirements that state, tribe, and 
local government electronic reporting programs must satisfy?
    1. Review of the proposal
    2. Comments on the proposed criteria for electronic document 
receiving systems
    3. Revisions to the criteria in the final rule
    C. How has EPA accommodated electronic submissions with follow-
on paper certifications?
    D. How has EPA changed proposed definitions of terms?
    1. Definition of ``acknowledgment''
    2. Definition of ``electronic document''
    3. Definition of ``electronic signature''
    4. Definition of ``electronic signature device''
    5. Definition of ``transmit''
    6. Definition of ``valid electronic signature''
V. Requirements for Direct Electronic Reporting to EPA
    A. What are the requirements for electronic reporting to EPA?
    B. What is the status of existing electronic reporting to EPA?
    C. What is EPA's Central Data Exchange?
    1. Overview of general goals
    2. Comments on the proposal
    3. The aspects of CDX that have not changed since proposal
    4. The major changes that EPA has made to CDX since proposal
    D. How will EPA provide notice of changes to CDX?
VI. Requirements for Electronic Reporting under EPA-Authorized 
Programs
    A. What is the general regulatory approach?
    B. When must authorized state, tribe, or local government 
programs revise or modify their programs to allow electronic 
reporting?
    1. The general requirement
    2. Deferred compliance for existing systems
    C. What alternative procedures does EPA provide for revising or 
modifying authorized state, tribe, or local government programs for 
electronic reporting?
    1. The application
    2. Review for completeness
    3. EPA actions on applications
    4. Revisions or modifications associated with existing systems
    5. Public hearings for Part 142 revisions or modifications
    6. Re-submissions and amendments
    D. What general requirements must state, tribe, and local 
government electronic reporting programs satisfy?
    E. What standards must state, tribe, and local government 
electronic document receiving systems satisfy?
    1. Timeliness of data generation
    2. Copy of record
    3. Integrity of the electronic document
    4. Submission knowingly
    5. Opportunity to review and repudiate copy of record
    6. Validity of the electronic signature
    7. Binding the signature to the document
    8. Opportunity to review
    9. Understanding the act of signing
    10. The electronic signature or subscriber agreement
    11. Acknowledgment of receipt
    12. Determining the identity of the individual uniquely entitled 
to use a signature device
VII. What are the Costs of Today's Rule?
    A. Summary of proposal analysis
    B. Final rule costs
    C. General changes to methodology and assumptions
VIII. Statutory and Executive Order Reviews
    A. Executive Order 12866
    B. Executive Order 13132
    C. Paperwork Reduction Act
    D. Regulatory Flexibility Act
    E. Unfunded Mandates Reform Act
    F. National Technology Transfer and Advancement Act
    G. Executive Order 13045
    H. Executive Order 13175
    I. Executive Order 13211 (Energy Effects)
    J. Congressional Review Act

I. Overview

A. Why does the Agency seek to provide electronic alternatives to 
paper-based reporting and recordkeeping?

    In the Federal Register of August 31, 2001 (66 FR 46162), EPA 
published a notice of proposed rulemaking, announcing the goal of 
making electronic reporting and electronic recordkeeping available 
under EPA regulatory programs. The Agency believes that the submission 
and storage of electronic documents in lieu of paper documents can:
     Reduce the cost and burden of data transfer and 
maintenance for all parties to the data exchanges;
     Improve the data and the various business processes 
associated with its use in ways that may not be reflected directly in 
cost-reduction, e.g., through improvements in data quality, and the 
speed and convenience with which data may be transferred and used; and
     Maintain the level of corporate and individual 
responsibility and accountability for electronic reports and records 
that currently exists in the paper environment.

Recent federal policy and law are also strong drivers of electronic 
alternatives to traditional reporting and recordkeeping. The Government 
Paperwork Elimination Act (GPEA) of 1998, Title XVII of Public Law 105-
277, requires the Director of the Office of Management and Budget (OMB) 
to ensure that executive agencies provide for the option of the 
electronic maintenance, submission, or disclosure of information as a 
substitute for paper when practicable, and for the use and acceptance 
of electronic signatures, when practicable. See GPEA section 1704. 
Given the enormous strides in data transfer and management 
technologies, particularly in connection with the Internet, replacing 
paper with electronic data transfer now promises increased productivity 
across almost all facets of business and government.
    In seeking to make electronic alternatives available that were not 
contemplated when most existing EPA regulations were written, EPA was 
mindful of the need to maintain our ability to carry out our statutory 
environmental and health protection mission, in part through ensuring 
the integrity of environmental compliance documents. Accordingly, the 
intended

[[Page 59850]]

effect of the proposed regulation was to permit and encourage the use 
of electronic technologies in a manner that is consistent with EPA's 
overall mission and that preserves the integrity of the Agency's 
compliance and enforcement activities.
    The Agency believes that it is essential to ensure that electronic 
reports can play the same role as their paper counterparts in providing 
evidence of what was reported and to what identified individuals 
certified with respect to the report. Otherwise, electronic reporting 
places at risk the continuing viability of self-monitoring and self-
reporting that provides the framework for compliance under most of our 
environmental programs. The purpose of today's final rule is therefore 
twofold. Today's rule is intended to provide regulated industry, EPA, 
and state, tribe, and local governments with electronic reporting 
alternatives that improve the efficiency, the speed, and the quality of 
regulatory reporting. At the same time, the rule is intended to ensure 
the legal dependability of electronic documents submitted under 
environmental programs. This includes, among other things, ensuring 
that individuals will be held as responsible and accountable for the 
electronic signatures, which they execute, and for the documents to 
which such signatures attest as they currently are in cases of 
documents where they execute handwritten signatures.

B. What does the electronic reporting rule do?

    EPA is announcing today the final regulatory provisions in a new 
part 3 of Title 40 of the CFR for electronic reporting to EPA and under 
authorized state, tribe, and local government programs. ``Authorized 
program'' is shorthand for a federal program that EPA has delegated, 
authorized, or approved a state, tribe or local government to 
administer under other provisions of title 40 of the CFR, where the 
delegation, authorization, or approval has not been withdrawn or 
expired. Section 3.3 of the rule codifies this usage in the regulatory 
text. This use of ``authorized'' does not mean that EPA is precluded 
from an enforcement action by a prior enforcement action being taken by 
a state, tribe, or local government under its authorized program. The 
final rule incorporates changes made after publication of the proposed 
rule that are discussed in detail in section IV of this Preamble. This 
rule establishes electronic reporting as an acceptable regulatory 
alternative across a broad spectrum of EPA programs, and establishes 
requirements to assure that electronic documents are as legally 
dependable as their paper counterparts.
    The requirements in Subpart B of the rule apply to entities that 
choose to submit electronic documents for direct reporting to EPA, 
including state, tribe, and local government facilities that choose to 
submit electronic documents to EPA to satisfy requirements that apply 
to them under other provisions of title 40 of the CFR. However, the 
scope of this final rule excludes any data transfers between EPA and 
states, tribes, or local governments as a part of their authorized 
programs or as a part of administrative arrangements between states, 
tribes, or local governments and EPA to share data. The requirements in 
Subpart D of the rule provide for electronic reporting under authorized 
state, tribe, and local government programs and apply to the 
governmental entities administering the authorized programs. Under the 
final rule, states, tribes, and local governments have the choice of 
using electronic submission rather than paper for reporting under their 
authorized programs. Comments on the proposed rule indicated that some 
states and local governments are now requiring electronic reporting 
under those programs. Existing electronic document receiving systems 
must receive EPA approval in accordance with Subpart D in order to meet 
the requirements of part 3.
    This rule does not require that any document be submitted 
electronically, and it does not require any state, tribe, or local 
authorized program to receive electronic documents. Public access to 
environmental compliance information is not affected by today's action.
    Additionally, the scope of the final rule specifically excludes the 
submission of any electronic document via magnetic or optical media--
for example via diskette, compact disk (CD), digital video disc (DVD), 
or tape--as well as the transmission of documents via hard copy 
facsimile or ``fax.'' The exclusion of magnetic or optical media 
submissions from the scope of this rule in no way indicates EPA's 
rejection of these technologies as a valid approach to paperless 
reporting. Magnetic and optical media submissions fulfill the goal of 
providing alternatives to submission on paper. EPA has already 
successfully implemented a paperless reporting alternative that 
utilizes magnetic and optical media submissions to fulfill many 
regulatory reporting requirements. Such instances include reporting 
related to the hazardous waste, Toxic Release Inventory, and pesticide 
registration programs. EPA expects these magnetic and optical media 
approaches to paperless reporting to continue, and nothing in today's 
rule should be interpreted to proscribe or discourage them.
    For entities that report to EPA directly and do so by submitting 
electronic documents, today's action requires that these documents be 
submitted either to the Agency's centralized electronic document 
receiving system, called the ``Central Data Exchange'' (CDX), or to 
alternative systems designated by the Administrator as described herein 
and in a separate Federal Register notice. Entities that submit 
electronic documents directly to EPA will satisfy the requirements in 
today's rule by successfully submitting their reports to one of these 
systems. While we do not intend to codify any of the details of how CDX 
operates or how it is constructed, the characteristics of the CDX and 
the submission scenarios are described later in this Preamble. In 
addition, the CDX design specifications are included as a part of this 
rulemaking docket.
    Many facilities submit documents directly to states, tribes, or 
local governments under authorized programs. For currently authorized 
programs that receive or wish to begin receiving electronic documents 
in lieu of paper, this rule requires EPA approval of program revisions 
or modifications that address their electronic reporting 
implementations. For programs initially seeking authorization, this 
rule requires EPA approval of any electronic reporting components of 
the programs. In both cases, EPA approval will be based largely on an 
assessment of the program's ``electronic document receiving system'' 
that is or will be used to implement electronic reporting. For this 
purpose, this rule includes performance-based standards that EPA will 
use to determine that an electronic document receiving system is 
acceptable. To implement electronic reporting under currently 
authorized programs, EPA is creating a streamlined procedure that 
states, tribes, and local governments may use to revise or modify their 
authorized programs to incorporate electronic reporting. Today's 
rulemaking also includes special provisions for authorized programs' 
electronic document receiving systems that exist at the time of 
publication of this final rule.
    It is worth noting that EPA can approve changes to authorized 
state, tribe, or local programs that involve the use of CDX to receive 
data submissions from their reporting communities, and EPA is exploring 
opportunities to

[[Page 59851]]

leverage CDX resources for use by states, tribes, and local 
governments. As currently implemented, CDX provides the major systems 
infrastructure components necessary to achieve electronic reporting 
consistent with the standards in this rule for assessing state, tribe, 
or local government electronic document receiving systems. 
Additionally, EPA has set the goal of making CDX operations fully 
consistent with the requirements in today's rule within two years.
    While today's rule establishes electronic reporting as a regulatory 
alternative, EPA will make the electronic submission alternative 
available for specific reports or other documents only as EPA announces 
its readiness to receive them through CDX or another designated system. 
EPA will publish announcements in the Federal Register as CDX and other 
systems become available for particular environmental reports. These 
elements are discussed in more detail in section V of this Preamble.
    In a notice published concurrently with today's rule, EPA clarifies 
the status of electronic reporting directly to EPA systems that exist 
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA 
is designating for the receipt of electronic submissions, all EPA 
electronic document receiving systems currently existing and receiving 
electronic reports as of the date of the notice. This designation is 
valid for a period of up to two years from the date of publication of 
the notice. During this two-year period, entities that report directly 
to EPA may continue to satisfy EPA reporting requirements by reporting 
to the same systems as they did prior to CROMERR's publication unless 
EPA publishes a notice that announces changes to, or migration from, 
that system. Any existing system continuing to receive electronic 
reports at the expiration of this two-year period must receive 
redesignation by the Administrator under Sec.  3.10. Notice of such 
redesignation will be published in the Federal Register.

C. What is the status of the proposed electronic recordkeeping 
provisions?

    At this time, EPA is only finalizing the provisions for electronic 
reporting to EPA and under authorized programs. The August 31, 2001, 
proposal, however, also addressed records that EPA or authorized 
programs require entities to maintain under any of the environmental 
programs governed by Title 40 of the CFR or related state, tribe, and 
local laws and regulations. For such records, EPA proposed specific 
provisions for administering the maintenance of electronic records 
under these environmental regulations. EPA proposed criteria under 
which the Agency would consider electronic records to be trustworthy, 
reliable, and generally equivalent to paper records in satisfying 
regulatory requirements. For entities that choose to keep records 
electronically, the proposal would have required the adoption of best 
practices for electronic records management. For facilities maintaining 
records to satisfy the requirements of authorized programs, the 
proposal would have allowed for EPA approval of changes to the 
authorized programs to provide for electronic recordkeeping. Under the 
proposal, approval would have been based on a determination that the 
authorized program would require best practices for electronic records 
management, corresponding to EPA's provisions for electronic records 
maintained to satisfy EPA recordkeeping requirements.
    Further, EPA proposed that once the rule took effect, any records 
subject to the rule that were maintained to satisfy the requirements of 
EPA programs could only be maintained electronically after EPA 
announced in the Federal Register that EPA was ready to allow 
electronic records maintenance to satisfy the specified recordkeeping 
requirements. Also under the proposal, records maintained under an 
authorized state, tribe, or local government program could only be 
maintained electronically once EPA had approved the necessary changes 
to the authorized program.
    Based on the comments received on the proposed electronic 
recordkeeping provisions, EPA reconsidered its approach to electronic 
recordkeeping and is not issuing final recordkeeping rules at this 
time. The Agency is conducting additional analysis and intends to 
publish a supplemental notice or re-proposal to solicit additional 
comments before a final rule on electronic recordkeeping is issued. We 
will be reviewing provisions related to the methods used to ensure 
accuracy, accessibility and the ability to detect alterations of 
records stored electronically, as well as other possible controls for 
electronic recordkeeping. The Agency intends to utilize this review to 
engage states, tribes, local governments, and industry in meaningful 
consultation to ensure that the EPA has the best available information 
on which to base its decisions. In conjunction with these 
consultations--and before issuing any notice or re-proposal--EPA will 
conduct additional analysis on the costs and benefits of alternative 
approaches, and the technical feasibility of various options, with a 
focus on impacts to small businesses. Today's rule does not authorize 
the conversion of existing paper documents retained to comply with 
existing recordkeeping requirements under other provisions of Title 40 
of the CFR to an electronic format for record-retention purposes.

D. How were stakeholders consulted during the development of today's 
final rule?

    This final rule reflects more than ten years of interaction with 
stakeholders that included states, tribes, and local governments, 
industry groups, environmental non-government organizations, national 
standard setting committees, and other federal agencies. As detailed in 
the proposal, many of our most significant interactions involved 
electronic reporting pilot projects conducted with state agency 
partners, including the States of Pennsylvania, New York, Arizona, and 
several others. In May, 1997, work began with approximately 35 states 
on the State Electronic Commerce/Electronic Data Interchange Steering 
Committee (SEES) convened by the National Governors' Association (NGA) 
Center for Best Practices (CBP). Also, EPA sponsored a series of 
conferences and meetings, beginning in June, 1999, with the explicit 
purpose of seeking stakeholder advice before drafting the proposal. 
Reports of these conferences and meetings are available in the docket 
for this rulemaking, along with the product of the SEES effort, a 
document entitled, ``A State Guide for Electronic Reporting of 
Environmental Data,'' and reports on some of the more recent state/EPA 
electronic reporting pilots.
    For the proposal, EPA provided a 6-month public comment period, 
which closed on February 27, 2002. During that time, we received 184 
sets of written comments on the proposed rule. The commenters 
represented a broad spectrum of interested parties: States, local 
governments, specific businesses, trade associations, and other federal 
agencies. Substantive changes to the electronic reporting provisions 
based on public comments are discussed in detail in section IV of this 
Preamble. In addition, EPA received comments at four public meetings 
held around the country and at two meetings with states held in 
Washington, DC. The comments and meeting summaries can be found in the 
docket to this rulemaking. Today's final rule reflects many of the 
comments and concerns raised by commenters on the proposal. (A complete 
discussion of the options considered by EPA and other background 
information on the Agency's policy on electronic reporting

[[Page 59852]]

can be found in the proposed rule.) The majority of comments focused on 
the costs and burden of the proposed Subpart D electronic recordkeeping 
provisions. EPA's response to public comments to the proposal can be 
found in the rulemaking docket, in the Response to Comments document.

E. What alternatives to today's final rule did EPA consider?

    EPA considered both a more stringent and a less stringent 
alternative to the regulatory approach taken in this rule. The more 
stringent alternative is reflected in the electronic provisions 
published, August 31, 2001, in the Notice of Proposed Rulemaking for 
CROMERR. The proposed version of CROMERR was more stringent by virtue 
of setting much more prescriptive, detailed requirements that 
electronic document receiving systems would have to satisfy. For 
example:
     Proposed Sec.  3.2000(d) contained very specific 
requirements for submitter identity management that a system would have 
to satisfy, including detailed requirements for renewal of registration 
and revocation of registration under specified circumstances;
     Proposed Sec.  3.2000(e) contained very detailed 
requirements for the signature/certification scenario that a system 
would have to provide for, specifying the exact sequence of steps to be 
followed in electronically signing a submission, and requiring such 
features as on-screen, scroll-through presentation of the data to be 
submitted for review of the signatory prior to signing.
    EPA received significant public comment on this approach, both from 
states and from regulated companies, and there were at least three 
closely related themes. The first was that such prescriptive 
requirements would greatly limit the flexibility of states to implement 
electronic reporting in a cost-effective way. The second theme was that 
many of the requirements--especially those specifying the signature/
certification scenario--were not appropriate to many cases where 
electronic reporting would occur. Third and finally, many of these 
commenters expressed skepticism that these very detailed requirements 
represented the only possible approach to ensuring the legal 
dependability of electronic submissions and signatures. These themes 
are discussed in detail in section IV.B of this Preamble.
    EPA also considered a less stringent alternative that would have 
refrained from specifying requirements to establish the identity of an 
individual to whom a signature device or credential (e.g. a PIN, 
password, or PKI certificate) is issued. This less stringent 
alternative would have omitted the provision for identity-proofing in 
the final Sec.  3.2000(b)(5)(vii). In terms of regulatory impact, this 
would be a significant reduction in stringency. Most of the burden on 
regulated entities imposed by today's rule is associated with the 
registration process involved in obtaining a signature device or 
credential, and any requirement to establish the registrant's identity 
raises the aggregate burden substantially.
    EPA rejected this less stringent alternative, because we believe 
that it would seriously undermine the rule's ability to assure the 
legal dependability of electronic submissions. It is a basic principle 
of electronic authentication (E-authentication) that individuals being 
authenticated are who they say they are. E-authentication depends 
critically on the degree of trust we can place in the credential the 
individual presents, and such trust depends heavily on the process of 
establishing the individual's identity (or ``identity-proofing'') when 
he or she first registers for the credential. If the identity-proofing 
process is not sufficiently stringent and credible, then it may be 
uncertain who is using the credential in a specific instance where it 
is presented. Where the credential is used to create an electronic 
signature, inadequate identity-proofing may create uncertainty as to 
who the signatory is, as a result, the signature may be rendered 
undependable for any legal purpose. Accordingly, EPA believes that, 
notwithstanding the cost, it is necessary to specify that identity-
proofing be conducted. The Sec.  3.2000(b)(5)(vii) identity-proofing 
requirement is explained in detail in section VI.E.12 of this Preamble.

II. Background

A. What has been EPA's electronic reporting policy?

    On September 4, 1996, EPA published a document entitled ``Notice of 
Agency's General Policy for Accepting Filing of Environmental Reports 
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter 
referred to as `the 1996 Policy'), where ``EDI'' generally refers to 
the transmission, in a standard syntax, of unambiguous information 
between computers of organizations that may be completely external to 
each other. This notice announced EPA's basic policy for accepting 
electronically submitted environmental reports, and its scope was 
intended to include any regulatory, compliance, or informational 
(voluntary) reporting to EPA via EDI.
    For purposes of the 1996 policy, the standard transmission formats 
used by EPA were to be based on the EDI standards developed and 
maintained by the American National Standards Institute (ANSI) 
Accredited Standards Committee (ASC) X12. By linking our approach to 
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions, 
including a wide array of commercial off-the-shelf (COTS) software 
packages and communications network services, and a growing industry 
community of EDI experts available both to EPA and to the regulated 
community. At the time EPA was writing this policy, ANSI-based EDI was 
arguably the dominant mode of electronic commerce across almost all 
business sectors, from aerospace to wood products, at least in the 
United States. (A complete discussion of EPA's 1996 policy can be found 
in the preamble to the proposed rule.)
    With this final rule, EPA is making changes to the 1996 policy for 
three primary reasons. First, and most important, the technology 
environment has changed substantially since the 1996 policy was 
written. Web-based electronic commerce and public key infrastructure 
(PKI) are two examples. While both were available and in use for some 
purposes in 1996, they had not yet achieved the level of acceptance and 
use that they enjoy today. We could not have anticipated in 1996 that 
this evolution would occur as rapidly as it has. Clearly, these 
developments require that we extend our approach to electronic 
reporting beyond EDI and Personal Identification Numbers (PINs). In 
addition, they teach us that it is generally unwise to base regulatory 
requirements on the existing information technology environment or on 
assumptions about the speed and direction of technological evolution.
    Second, we believe that technology-specific provisions would be 
very complex and unwieldy. The resulting regulation would likely place 
unacceptable burdens on regulated entities trying to understand and 
comply.
    Third, and finally, an electronic reporting architecture that makes 
a centralized EPA or state system the platform for such functions as 
electronic signature/certification is now quite viable--and quite 
consistent with the standard practices of Web-based electronic 
commerce. Given the state of technology six years ago, we could not

[[Page 59853]]

have considered this approach in the 1996 policy.

B. How does today's final rule change EPA's electronic reporting 
policy?

    For practical purposes, the most important change that today's rule 
makes is in our technical approach to electronic reporting. In contrast 
to the 1996 policy, today's rule does not generally specify or limit 
the range of allowable electronic submission technologies and formats. 
Under today's rule, complaint electronic reporting approaches can 
include user-friendly `smart' electronic forms to be completed on-line 
or downloaded for completion off-line at the user's personal computer, 
as well as data transfers via the Internet or secure email in a variety 
of standard and common off-the-shelf, application-based formats. 
Similarly, in terms of electronic signature technology, the rule allows 
for a range of approaches, including various implementations of PINs 
and passwords, the use of private or personal information, digital 
signatures based on PKI certificates, and other signature technologies 
as they become viable for our applications. As EPA or authorized 
programs implement electronic submission for specific reports, the rule 
allows them to select one or more of the available submission and 
signature approaches according to their circumstances and the program-
specific requirements.
    EPA's goals are to make this electronic reporting alternative as 
simple, attractive and cost-effective as possible for reporting 
entities, while ensuring that electronically submitted documents are as 
legally dependable as their paper counterparts. We believe that today's 
rule achieves these goals, but--unlike the 1996 policy--without 
requiring specific technologies or setting detailed procedural steps 
for the submission of electronic documents. Our strategy--as initially 
set out in the August 31, 2001, notice of proposed rulemaking, and as 
finalized today--is to impose as few specific requirements as possible 
on reporting entities, and to generally keep requirements neutral with 
respect to technology. As a consequence, today's rule enables EPA, the 
states, tribes, and local governments to offer regulated companies 
diverse approaches to electronic reporting that can be tailored to 
their technical capabilities and to the level of automation they wish 
to achieve. In addition, the strategy gives EPA, the states, tribes, 
and local governments the flexibility to adapt electronic reporting 
systems to evolving technologies without requiring that regulations be 
amended with each technological innovation.
    However, this regulatory strategy does not mean abandoning any 
control over how electronic documents are submitted. In place of 
specific technologies or detailed procedural steps, today's rule 
requires that electronic submissions be made to CDX or other designated 
EPA systems, or to state, tribe, or local government systems that are 
determined to satisfy a certain specified set of technology-neutral 
performance standards. As a practical matter, the use of these systems 
(e.g., CDX or others that meet the specified performance standards) 
will involve submission procedures that we believe are sufficient to 
ensure the legal dependability of electronic reports so that they meet 
the needs of our compliance and enforcement programs. In addition, 
while the specified performance standards may be technology-neutral, 
agency electronic reporting systems that implement the standards will 
incorporate suites of very specific technologies that will further 
determine the process for actual electronic submission. Sections V.B 
and V.C of this Preamble describe these requirements and the associated 
technologies in some detail for the case of reporting directly to EPA 
via CDX.

III. Scope of the Electronic Reporting Rule

    EPA is today promulgating a new Part 3 in Title 40 of the CFR. The 
new Part applies to all persons who submit reports or other documents 
to EPA under Title 40, and to state, tribe, and local programs that 
administer or seek to administer authorized programs under Title 40. 
The new part 3 does not address contracts, grants or financial 
management regulations contained in Title 48 of the CFR.

A. Who may submit electronic documents?

    Any entity that submits documents addressed in this rule (see 
section III.B., below) directly to EPA can submit them electronically 
as soon as EPA announces that CDX or a designated alternative system is 
ready to receive these reports. (See section V of this Preamble for a 
discussion on requirements for electronic reporting to EPA, and section 
V.B for a discussion of the status of electronic reporting directly to 
EPA systems that exist as of the rule's publication date.) Under this 
rule, the affected entities may elect to utilize the electronic 
reporting alternative. These entities are not required by this final 
rule to report electronically; however, they may be required to report 
electronically under other Title 40 regulations, and nothing in today's 
rule limits EPA's ability to require electronic reporting under other 
parts of Title 40.
    In general, entities may submit documents electronically as 
provided for under authorized state, tribe, or local government 
programs. Nothing in this rule prohibits state, tribe, or local 
governments from requiring electronic reporting under applicable state, 
tribe, or local law.

B. Which documents can be filed electronically?

    This rule addresses document submissions required by or permitted 
under any EPA or authorized state, tribe, or local program governed by 
EPA's regulations in Title 40 of the CFR. Nonetheless, EPA will need 
time to develop the hardware and software components required for each 
individual type of document. Similarly, states, tribes, and local 
governments will need time to evaluate their electronic document 
receiving systems to ensure that they meet the standards promulgated in 
today's final rule. Accordingly, once this rule takes effect, specific 
documents submitted directly to EPA that are not already being 
submitted electronically to existing EPA systems can only be submitted 
electronically after EPA announces in the Federal Register that CDX or 
an alternative system is ready to receive those specific documents. 
(See section V.B of this Preamble for a discussion of the status of 
electronic reporting directly to EPA systems that exist as of the 
rule's publication date.) Documents may be submitted electronically 
under the provisions of an authorized state, tribe, or local program.

C. How does this final rule implement electronic reporting?

    The new 40 CFR part 3 consists of four (4) Subparts. Subpart A 
provides that any requirement in Title 40 to submit a report directly 
to EPA can be satisfied with an electronic submission that meets 
certain conditions (specified in Subpart B) once the Agency publishes a 
notice that electronic document submission is available for that 
requirement. Subpart A also provides that electronic reporting can be 
made available under EPA-authorized state, tribe, or local 
environmental programs. In addition, Subpart A makes clear: (1) that 
electronic document submission, while permissible under the terms of 
this rule, is not required by any provision of this rule; and (2) that 
this rule confers no right or privilege to submit data electronically 
and does not obligate EPA or states, tribes, or local

[[Page 59854]]

agencies to accept electronic data. Subpart A also contains key 
definitions and discusses compliance and enforcement.
    Subpart B sets forth the general requirements for acceptable 
electronic documents submitted to EPA. It provides that electronic 
documents must be submitted either to CDX or to other EPA designated 
systems. It also includes general requirements for electronic 
signatures. The requirements in Subpart B apply to entities that submit 
electronic documents for direct reporting to EPA, including states, 
tribes, and local governments that submit electronic documents to EPA 
to satisfy requirements that apply to them under Title 40 of the CFR. 
Subpart B does not apply to any data transfers between EPA and states, 
tribes, or local governments as a part of their authorized programs or 
as a part of administrative arrangements between states, tribes, or 
local governments and EPA to share data. Additionally, Subpart B does 
not apply to the submission of any electronic document via magnetic or 
optical media--for example via diskette, compact disk, or tape--or to 
the transmission of documents via hard copy facsimile or ``fax.''
    Subpart C is reserved for future EPA electronic recordkeeping 
requirements.
    Finally, Subpart D sets forth the process and standards for EPA 
approval of changes to authorized state, tribe, and local environmental 
programs to allow electronic reporting to satisfy requirements under 
these programs. Again, for purposes of Subpart D, ``electronic 
reporting'' entails submission via telecommunications, and Subpart D 
requirements do not apply in cases of submission via magnetic or 
optical media or hard copy ``fax.'' With respect to electronic 
reporting, Subpart D includes simplified performance-based standards 
for acceptable state, tribe, or local agency electronic document 
receiving systems against which EPA will assess authorized program 
electronic reporting elements. It also provides a streamlined process 
for approving applications for revisions to authorized programs for 
electronic reporting.
    Given the provisions of Subpart A, a regulated entity wishing to 
determine whether electronic reporting directly to EPA was available 
under some specific regulation will have to verify that EPA has 
published a Federal Register notice announcing their availability and 
will have to locate any additional provisions or instructions governing 
the electronic alternative for the particular reporting requirement. To 
facilitate this determination, EPA intends to maintain an easily 
accessed list of EPA reports for which electronic reporting has been 
implemented--cross-referencing the applicable Federal Register 
notices--on the Exchange Network and Grants webpage at www.epa.gov/
exchangenetwork.

IV. Major Changes From Proposed Electronic Reporting Provisions

A. How does the rule streamline the approval of electronic reporting 
under authorized state, tribe, and local government programs?

    1. Review of the proposal. EPA proposed that states, tribes, and 
local governmental entities would use the procedures for program 
revision or modification provided in existing program-specific 
regulations governing state, tribe, or local authorized programs.
    In the Preamble to the proposed rule, we noted that our approach 
raised certain administrative concerns, especially in cases where a 
governmental entity wished to use a single system to accept electronic 
submissions across a number of authorized programs, corresponding to 
EPA's use of CDX to receive reports across EPA programs. To receive EPA 
approval for such implementations, the governmental entity would have 
to apply for revision or modification under each authorized program 
affected, using procedures that might vary substantially from program 
to program. While these procedures might vary, each substantive review 
would still refer to the same proposed part 3 criteria, and--in the 
case of a single system implementation--would apply these criteria to 
the same system. EPA intended this approach to facilitate an 
administrative streamlining of the approval process, by allowing a 
single EPA review of all cross-program applications associated with a 
particular electronic document receiving system, which would enable EPA 
to make a single decision to approve or disapprove all the associated 
applications. While this approach would not eliminate multiple 
applications, it would at least simplify the interactions between the 
applicant and EPA during substantive review, and would speed EPA action 
on the applications themselves.
    EPA also considered more radical streamlining alternatives, 
including a centralized approval process provided for by regulation, 
and the proposal requested comment on whether any of these alternatives 
would be preferable to the administrative approach to streamlining.
    2. Comments on the proposal. In comments on the provisions for 
electronic reporting under authorized programs, a recurring theme was 
the complexity of the proposed requirements for EPA approval of program 
revisions or modifications to allow electronic reporting. The comments 
in many cases seemed directed equally to the approval process and to 
the proposed criteria for approval. Comments on the criteria are 
discussed in more detail in section IV.B.2 of this Preamble.
    As for the comments that clearly addressed the process, there were 
two major concerns. The first was that the process, due to the various 
current program authorization regulations, is inherently complicated, 
time-consuming and resource-intensive. In a few cases, commenters noted 
the particular worry that having to seek EPA approval for each program 
implementing electronic reporting would be especially burdensome, and 
that EPA's proposed approach of streamlining the internal review 
component of the program revision process would be of little help.
    The second concern was the impact of the rule on electronic 
reporting that was already underway. Commenters noted that many 
authorized programs are already accepting electronic submissions, or 
would be by the time the final rule is published, and they worried 
about the timing of the requirement that the electronic document 
receiving systems they use for this purpose be approved by EPA under 
associated program revision or modification procedures. Under the 
proposed provisions, such systems would have to be EPA-approved as soon 
as the rule became effective, which was not practicable. Given the need 
to address the criteria for approval, such applications could only be 
initiated once the rule was finalized, and they might take months to 
complete and get approved, or substantially longer in cases where the 
revision or modification required state legislative or regulatory 
changes. During the months or years that the revision or modification 
was in process, the authorized program would either have to shut down 
their electronic document receiving systems or, of necessity, operate 
them out of compliance with the rule. Commenters were particularly 
concerned with the disruptive impacts of having to shut these systems 
down. They pointed out that reversion to paper-based submissions in 
such cases may be difficult and expensive, both for the agencies and 
for the submitting entities that are affected, and that resuming

[[Page 59855]]

system operation after a long hiatus may require resources more 
typically associated with system start-up. Additional comments on 
program revision or modification and EPA's responses can be found in 
the rulemaking docket, in the Response to Comments document.
    3. Revisions in the final rule. To address the concern that the 
proposed program revision or modification to accommodate electronic 
reporting was too complicated and burdensome, the final rule provides 
streamlined procedures for adding electronic reporting to existing 
authorized programs. These are optional procedures that a state, tribe, 
or local government may use if it chooses, in place of the applicable 
program-specific procedures, to seek EPA approval for revisions or 
modifications that provide for electronic reporting. EPA believes that 
in most cases these optional procedures will be substantially simpler 
and quicker than their program-specific alternatives. These new 
procedures are discussed in detail in section VI.C of this Preamble.
    To address the concern that the required program revisions or 
modifications may disrupt authorized programs that already have 
electronic reporting underway, the final rule provides for a two-year 
delayed compliance date--in effect, a two-year ``grace period''--before 
such programs have to submit their applications for revision or 
modification. Programs will be allowed this grace period where they 
have systems that fit the definition of ``existing electronic document 
receiving system,'' explained in section VI.B.2 of this Preamble. In 
addition, these provisions allow the grace period to be extended, on a 
case-by-case basis, where an authorized program may need to wait for 
legislative or regulatory changes before a complete application can be 
submitted.

B. How has EPA revised the requirements that state, tribe, and local 
government electronic reporting programs must satisfy?

    1. Review of the proposal. EPA proposed a detailed set of criteria 
that would have to be met by any system that is used to receive 
electronic documents submitted to satisfy document submission 
requirements under any EPA-authorized state, tribe, or local 
environmental program. The proposed criteria addressed the capabilities 
that EPA believed a state, tribe, or local government's electronic 
document receiving system must have regarding six function-specific 
categories: (1) System security, (2) electronic signature method, (3) 
submitter registration, (4) signature/certification scenario, (5) 
transaction record, and (6) system archives.
    These criteria were based upon EPA's consideration of the roles 
that many electronically submitted documents will likely play in 
environmental program management, including compliance monitoring and 
enforcement, and the need to ensure that such roles were not 
compromised by the transition from paper to electronic submission. In 
many respects electronic submission enhances a document's utility for 
environmental programs: it significantly reduces the resources and time 
involved in making the content available to its users, and can greatly 
facilitate data quality assurance and analysis. Nonetheless, electronic 
submissions may also be open to challenge, primarily with respect to 
their authenticity, and particularly where they are used to establish 
the actions and intentions of the submitters. We normally consider such 
uses in the case of environmental reporting, especially where 
electronic submissions are made to report on an entity's compliance 
status and where the submission includes a responsible individual's 
certification to the truth of what is reported. For such cases, EPA 
identified a programmatic need to be able to authenticate the 
submission content and the certification--for example, to be able to 
address issues of fraud or false reporting where they arise--and it is 
primarily this need that was addressed by the six proposed criteria.
    The point of the proposal's six function-specific categories was to 
ensure the authenticity of electronic documents submitted in lieu of 
paper reports, so that they will be able to play the same role as their 
paper counterparts in providing evidence of what was reported and to 
what an identified individual certified with respect to the report. For 
example, in the case of paper submissions, the evidence surrounding a 
handwritten signature is normally sufficient to demonstrate that the 
signature is authentic and rebut any attempt by the signatory to 
repudiate it and EPA intends the standards in today's rule to provide 
evidence for electronic signatures that has a corresponding level of 
non-repudiation. Since these evidentiary issues typically arise in the 
context of judicial or other legal proceedings, electronic documents 
need the same ``legal dependability'' as their paper counterparts. The 
over-arching standard in the concept of ``legal dependability'' is that 
any electronic document that may be used as evidence to prosecute an 
environmental crime or to enforce against a civil violation should have 
no less evidentiary value than its paper equivalent. For example, where 
there is a question of deliberate falsification of compliance data--it 
must be possible to establish the signatory's identity beyond a 
reasonable doubt no matter whether the submission was electronic or 
paper.
    A seventh, more general proposed criterion, entitled ``Validity of 
Data,'' addressed the standard of legal dependability directly. The 
idea, in general, was that a system used to receive electronic 
documents must be capable of reliably generating evidence for use in 
private litigation, in civil enforcement proceedings, and in criminal 
proceedings in which the standard for conviction is proof beyond a 
reasonable doubt that the electronic document was actually signed by 
the individual identified as the signatory and that the data it 
contains was not submitted in error. The six more detailed, function-
specific criteria represented the requirements for satisfying this more 
general ``Validity of Data'' criterion. Taken together, the seven 
proposed criteria were intended to ensure the legal dependability of 
electronically submitted documents by providing:
     Standards for valid electronic signatures and authentic 
electronic documents to be admitted as evidence in a judicial 
proceeding;
     Assurance that electronic documents can be authenticated 
to provide evidence of what an individual submitted and/or attested to; 
and
     Assurance that electronic signatures resist repudiation by 
the signatory.

By providing for these and other facets of an electronic document's 
legal dependability, proposed CROMERR was intended to preserve the 
ability of EPA and its authorized programs to hold individuals 
accountable when they certify, attest or agree to the content of 
compliance reports under environmental laws and statutes. By the same 
token, proposed CROMERR was also intended to ensure that EPA and its 
authorized programs will have the documentary evidence they need to 
bring actionable cases of false or fraudulent reporting into court.
    2. Comments on the proposed criteria for electronic document 
receiving systems. EPA received a substantial number of comments on the 
proposed criteria for state, tribe, and local electronic document 
receiving systems, both in written submissions and at meetings with the 
public and with state and local government officials. While a

[[Page 59856]]

few of these comments questioned the ``Validity of Data'' criterion, 
the great majority dealt with the detailed function-specific criteria. 
There were at least three recurring and closely related themes. First, 
the criteria were too prescriptive and inflexible, and would prevent 
state, tribe, and local agencies from adapting their electronic 
reporting approaches to their needs and changing circumstances, and 
foreclose new and creative ways to achieve legal dependability. Second, 
the criteria would make electronic reporting unnecessarily complex, 
costly, and burdensome. Third, while the criteria might be appropriate 
for some cases, the ``one size fits all'' approach was not workable for 
all reports in all programs.
    Commenters tended to associate these three themes with certain 
misperceptions about the proposed requirements for signature method and 
the signature/certification scenario. Concerning signature method, a 
common concern was that the criteria would require states to implement 
PKI-based digital signatures. Commenters generally appear to have 
inferred this from proposed Sec.  3.2000(c) Electronic Signature 
Method, together with EPA's own choice of PKI for some submissions to 
CDX, as discussed in the Preamble. Whatever EPA's plans for CDX, state, 
tribe, and local government systems do not have to conform to the CDX 
model. Implementing a particular system of necessity requires the 
choice of specific technologies. To make those choices does not imply 
that these are the only possible choices that would satisfy whatever 
requirements the rule places on electronic reporting systems. 
Concerning Sec.  3.2000(c), commenters tended to focus on paragraph (5) 
of this section, which stated that the signature method had to ensure 
``that it is impossible to modify an electronic document without 
detection once the electronic signature has been affixed.'' EPA did not 
intend for this provision to establish PKI-digital signature as the 
required signature method. Given current technology, approaches to 
satisfying the Sec.  3.2000(c)(5) requirement frequently involve the 
computation of a number--called a ``hash''--that has a unique relation 
to the content of the electronic document such that any change to the 
document content would change the computed hash. Given the hash, the 
associated document can be confirmed as unmodified at any time by 
calculating a new hash and showing that the new and original hashes are 
identical. Using such a hash-based approach, it is important to ensure 
that the hash has been secured from tampering, and encryption is 
probably the most straightforward way to do this. Encryption can be 
accomplished in a number of ways. Approaches include PKI-based digital 
signature, digital signature where the asymmetric key-pair is not 
associated with a PKI certificate, and various forms of symmetric-key 
cryptography. Additionally, it may be possible to avoid cryptography 
altogether by storing the hash value in a system with appropriately 
controlled access. Thus, a solution using PKI-based digital signatures 
represents only one among a number of possible approaches to satisfying 
the proposed Sec. 3.2000(c)(5) requirement.
    A number of commenters also misinterpreted the criteria under 
proposed Sec.  3.2000(e) Electronic signature/certification scenario 
(especially the provisions for signatory's review of data under Sec.  
3.2000(e)(1)(i)) as requiring signatories to scroll through their 
submissions on-screen before they affix their electronic signatures, 
and re
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.