Frequently Asked Questions
On this page:
- CROMERR Overview
- Technical Requirements
- Application Requirements
- Application Review and Approval Process
CROMERR Overview
Does receiving report submissions via email meet CROMERR requirements?
Attaching reports to emails is not considered to be a CROMERR-compliant system as it fails meet numerous CROMERR requirements, namely:
- The document is not alterable without detection
- Alterations to the document are recorded by the system
- The document can only be submitted intentionally
- Submitters and signatories are provided with an opportunity to review and repudiate the COR As defined in § 3.3 of CROMERR, a true and correct copy of an received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt.
In addition, scanned signatures are not considered to be valid e-signatures. A valid electronic signature As defined in § 3.3 of CROMERR, an electronic signature on an electronic document that has been created with an that the identified signatory is uniquely entitled to use for signing that document, where this device has not been compromised, and where the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and/or his or her relationship to the entity on whose behalf the signature is executed. refers to an electronic document As defined in § 3.3 of CROMERR, any information in digital form that is conveyed to an agency or third-party, where "information" may include data, text, sounds, codes, computer programs, software, or databases. "Data," in this context, refers to a delimited set of data elements, each of which consists of a content or value together with an understanding of what the content or value means; where the electronic document includes data, this understanding of what the data element content or value means must be explicitly included in the electronic document itself or else be readily available to the electronic document recipient. that has been signed using an electronic signature device As defined in § 3.3 of CROMERR, a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual's electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person.. The identified signatory is uniquely entitled to use the signature device for signing that document provided that this device has not been compromised, and the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and his or her relationship to the regulated entity on whose behalf the signature is executed.
Please note that CROMERR places no limitations on programs taking regulatory data submitted by any means and typing, loading, scanning, etc. it into another system as a "working" copy of the data or allowing otherwise non-CROMERR compliant submissions to be maintained as "working" or "courtesy" copies of data so long as paper-based, CROMERR-compliant or exempted records of this data are separately retained as the official copies of record. But email alone would not suffice as a CROMERR-compliant copy of record As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt..
For an overview of the CROMERR requirements, please visit: CROMERR 101 Lesson 5
Does receiving report submissions via a file upload process meet CROMERR requirements?
Receiving report submissions via a file upload process could be a CROMERR-compliant solution or submission via file upload can be part of a CROMERR-compliant solution. CROMERR was specifically designed as a set of performance-based standards to allow for the evolution of technology and business process approaches continuing to suggest new ways of meeting CROMERR requirements.
An electronic reporting system that receives submissions via a file upload process is likely to face the following challenges in terms of CROMERR compliance:
- If signature is required, is the signature one that complies with CROMERR?
- If signature is required, how is the signature bound to the document?
- If signature is required, what is the second authenticating factor?
- What evidence is there that the document hasn’t been modified since the time it was signed / submitted?
- How does the system demonstrate an intent by the registrant to submit a particular document?
- How does the system acknowledge receipt of the document?
- What opportunity is there to review and repudiate a posted document?
- How does the system guard against errors in transmission?
Note that scanned signatures are not considered to be valid e-signatures. A valid electronic signature refers to an electronic document that has been signed using an electronic signature device. The identified signatory is uniquely entitled to use the signature device for signing that document provided that this device has not been compromised, and the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and his or her relationship to the regulated entity on whose behalf the signature is executed.
Please note, too, that CROMERR places no limitations on programs taking regulatory data submitted by any means and typing, loading, scanning, etc. it into another system as a "working" copy of the data or allowing otherwise non-CROMERR compliant submissions to be maintained as "working" or "courtesy" copies of data so long as paper-based, CROMERR-compliant or exempted records of this data are separately retained as the official copies of record.
For an overview of the CROMERR requirements, please visit: CROMERR 101 Lesson 5
Technical Requirements
Do I need to store paper electronic signature agreements (ESAs) in their original paper format?
Paper files still need to be stored because a wet-ink on paper signature contains forensic evidence that can be used by handwriting experts to identify the individual who signed it. A scan of a signature does not retain the forensic evidence from the wet-ink on paper signature needed by the handwriting experts. If the wet-ink on paper signature is not stored, an individual could successfully repudiate their signature, potentially making all electronic reports submitted by that person unenforceable. Therefore, the CROMERR rule requires that when a wet-ink on paper signed ESA is used for identity-proofing that the paper ESA must be stored until five years after the signature device is deactivated.
Is the challenge question approach the only "second factor" available to strengthen a PIN/password-based e-signature?
No, candidate second-factors include private knowledge (such as a "challenge question"), biometrics and hardware devices (e.g., smart cards, USBs, PIN/Password Generators, RSA tokens, cell phones).
EPA recommends PIN-based e-signatures use a "challenge question" as a "second factor" because compared with the alternatives, the challenge-question approach provides significant added protection against signature repudiation at a relatively low cost. The approach is relatively inexpensive, easy to implement and is widely used for commercial applications such as banking.
States (for the purposes of CROMERR) Includes the District of Columbia and the United States Territories, as specified in the applicable statutes. are welcome to propose other options that demonstrate that the PIN/password has not been compromised.
For more information, see:
User Identification, Verification, and Authentication: Challenge Question Second-Factor Approach (pdf)
Application Requirements
Who needs to sign the certification of legal authority to implement electronic reporting under CROMERR?
For states, the AG (or designee) must sign the certification letter. For tribes and local governments, the Chief Administrative Official or Officer (CAO) (or designee) must sign the certification letter. Letters signed by a designee must explicitly document that this individual has delegated authority from the AG or CAO to sign the certification letter.
For additional information, see:
CROMERR Legal Certification Guide for State Attorney General or Local Government or Tribe Certifying Official Statement (pdf)
Some states have approved generic AG Certifications on file. To determine if an AG Certification may be required for your application, see: Program Announcements and Initiatives
Application Review and Approval Process
In this section:
Review Process
When should applicants engage EPA on their electronic reporting system plans?
Authorized-program applicants pursuing largely or exclusively custom-developed systems should engage EPA during the system design phase to minimize the potential of rework needed to comply with CROMERR requirements. These applicants should also submit a draft CROMERR system checklist so that EPA can better understand the applicant’s plans for CROMERR compliance, identify gaps and potential compliance concerns, and provide proactive assistance in revising the application.
Applicants pursuing off-the-shelf solutions typically do not need to go through this process, and may submit applications for EPA review and action whenever they are ready.
For more information, see: Application tools and templates
What is the time frame for the review process?
The time frame for authorized-program CROMERR application review and approval largely depends on whether the application is for a custom-developed system or for an off-the-shelf solution.
Currently, 80-90 percent of CROMERR applications are for systems using pre-vetted commercial off-the-shelf solutions or all Shared CROMERR Services components. EPA typically approves these applications within 6 to 12 weeks and conducts the action of both completeness and approval at the same time.
Applicants pursuing custom-developed systems should typically plan for an in-depth, iterative review process and may not achieve approval for a year or more. These applicants are encouraged to engage EPA during the system design phase, allowing the best chance for approval in advance of the desired system launch date. These applicants are also encouraged to familiarize themselves with the CROMERR Application Reviewer Guide.
For more information, see: CROMERR 101 Lesson 4: The EPA Review and Approval Process under Part 3
Approval Process
When can an authorized program As defined in § 3.3 of CROMERR, a federal program that EPA has delegated, authorized, or approved a state, tribe, or local government to administer, or a program that EPA has delegated, authorized, or approved a state, tribe or local government to administer in lieu of a federal program, under other provisions of Title 40 and such delegation, authorization, or approval has not been withdrawn or expired. begin using its electronic reporting system?
If ready for use, the authorized program can begin having regulated entities register to system and submit reports the same day that EPA publishes a notice of the approval in the Federal Register. Drinking water systems or drinking water reporting, though, cannot collect reports until typically 30 days after the publication date.