Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    • Environmental Topics
    • Air
    • Bed Bugs
    • Cancer
    • Chemicals, Toxics, and Pesticide
    • Emergency Response
    • Environmental Information by Location
    • Health
    • Land, Waste, and Cleanup
    • Lead
    • Mold
    • Radon
    • Research
    • Science Topics
    • Water Topics
    • A-Z Topic Index
    • Laws & Regulations
    • By Business Sector
    • By Topic
    • Compliance
    • Enforcement
    • Laws and Executive Orders
    • Regulations
    • Report a Violation
    • Environmental Violations
    • Fraud, Waste or Abuse
    • About EPA
    • Our Mission and What We Do
    • Headquarters Offices
    • Regional Offices
    • Labs and Research Centers
    • Planning, Budget, and Results
    • Organization Chart
    • EPA History

Breadcrumb

  1. Home
  2. Cross-Media Electronic Reporting Rule
  3. CROMERR 101 Training
  4. Lesson 6: Using the Checklist to Work through System Requirements

Lesson 6: Registration

Back | Next

Checklist items 1 through 4 are grouped under the Registration Process, where users establish their accounts in the system. This process typically requires users to provide information about them. The system administrator then reviews this information and provides the users with system privileges and signing credentials. Checklist items 1 through 4 represent CROMERR requirements that this registration process must satisfy.

  1. Identity-Proofing of Registrant
  2. Determination of Registrant’s Signing Authority
  3. Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise
  4. Electronic Signature Agreement

Explore the contents of each section.

1. Identity-Proofing of Registrant

For users who will sign electronic reports, CROMERR requires that the system determine the individual's identity, usually as a part of the registration process. This identity-proofing is the one CROMERR requirement that is more stringent for users who will sign Priority Reports As defined in § 3.3 of CROMERR, the reports listed in Appendix 1 to part 3..

For users who will sign Priority Reports, CROMERR requires that the system establish their identity before accepting reports with their electronic signatures. There are two ways to do this. One is to establish identity through verification by, and attestation of, a disinterested party, based on identifiers—at least one of which is government-issued. The other way is to include the registrant's handwritten signature As defined in § 3.3 of CROMERR, the scripted name or legal mark of an individual, handwritten by that individual with a marking-or writing-instrument such as a pen or stylus and executed or adopted with the present intention to authenticate a writing in a permanent form, where "a writing" means any intentional recording of words in a visual form, whether in the form of handwriting, printing, typewriting, or any other tangible form. The physical instance of the scripted name or mark so created constitutes the handwritten signature. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other media. as part of the electronic signature agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from ; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature. (ESA) process. Where the ESA is executed on paper with a handwritten signature, it is called a "subscriber agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.."

For users who sign only Non-Priority Reports, CROMERR does not specify when or how the identity proofing must be done, although either method specified for Priority Reports will satisfy the requirement in the non-priority case.

Reference:

  • Review the Regulation Language: § 3.2000(b)(5)(vii)
  • Definition of Disinterested Individual As defined in § 3.3 of CROMERR, an individual who is not connected with the person in whose name the electronic signature device is issued. A disinterested individual is not any of the following: The person's employer or employer's corporate parent, subsidiary, or affiliate; the person's contracting agent; member of the person's household; or relative with whom the person has a personal relationship.
  • Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.Definition of Local Registration Authority As defined in § 3.3 of CROMERR, an individual who is authorized by a state, tribe, or local government to issue an agreement collection certification, whose identity has been established by notarized affidavit, and who is authorized in writing by a regulated entity to issue agreement collection certifications on its behalf.
  • Definition of Agreement Collection Certification As defined in § 3.3 of CROMERR, a signed statement by which a local registration authority certifies that a subscriber agreement has been received from a registrant; the agreement has been stored in a manner that prevents unauthorized access to these agreements by anyone other than the local registration authority; and the local registration authority has no basis to believe that any of the collected agreements have been tampered with or prematurely destroyed.

2. Determination of Registrant’s Signing Authority

CROMERR requires the system to determine that users who will sign reports are actually authorized to do so on behalf of the specified regulated entities. This determination is usually based on some combination of the program's existing knowledge of the regulated entities, information submitted by the users or officials of the regulated entities, and some follow-up verification such as phone calls or as a part of routine inspections.

Reference:

  • Review the Regulation Language: § 3.2000(b)(5)(vii)

3. Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise In relationship to an electronic signature device, refers to when the device's code or mechanism is available for use by any other person.

CROMERR requires the system to provide users who will sign electronic reports with electronic signature devices (or credentials) to execute their electronic signatures. These devices could be passwords, PINs, PKI Enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. certificates associated with private-public key pairs A pair of cryptographic keys-a public key and a private key-used to execute digital signatures by a user. The private key is kept secret, while the public key may be widely distributed., physical tokens such as a USB device, or devices incorporating biometrics (e.g., fingerprints). Whatever device is issued (or registered), there are two basic requirements that need to be met. The first is to ensure that a device intended for a specific, identified user is issued only to that individual. The second is to ensure that the process of issuing that device—and maintaining a record of it on the system—protects the device from compromise.

Reference:

  • Review the Regulation Language: § 3.2000(b)(5)(i)
  • Definition of Valid Electronic Signature As defined in § 3.3 of CROMERR, an electronic signature on an electronic document that has been created with an electronic signature device that the identified signatory is uniquely entitled to use for signing that document, where this device has not been compromised, and where the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and/or his or her relationship to the entity on whose behalf the signature is executed.
  • Definition of Electronic Signature Device As defined in § 3.3 of CROMERR, a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual's electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person.

4. Electronic Signature Agreement

CROMERR requires that users sign an Electronic Signature Agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an electronic signature device that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from compromise; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature., and this is normally part of the registration process. This agreement must include language that obligates the registrant to protect the credential from compromise, and to immediately report any evidence of compromise to the system administrator. The agreement must also include a statement that the registrant understands that any electronic signature executed with the electronic signature device is as legally binding as a handwritten signature.

Reference:

  • Review the Regulation Language: § 3.2000(b)(5)(v)
  • Definition of Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.

Resources:

  • CROMERR Electronic Signature Agreement Guide (pdf) (220.49 KB, July 2017)

Back | Next

Regulation Language: § 3.2000(b)(5)(vii)

(b) An electronic document receiving system As defined in § 3.3 of CROMERR, any set of apparatus, procedures, software, records, or documentation used to receive electronic documents. that receives electronic documents submitted in lieu of paper When an electronic report takes the place of a paper report submitted to satisfy the requirements under another part of 40 CFR. In some states, the electronic reporting is done to make data collection and management easier, but the state requires that each report submitted electronically also be submitted as a signed paper copy. In this case, the electronic submission would not be in lieu of paper and CROMERR does not apply to the state. Some electronic reporting systems use a combined approach, where part or all of the data are submitted only electronically, but a wet ink signature on paper is also required. In these cases, the e-report (or at least the portions of it that are not also submitted on paper) is considered to be submitted "in lieu of paper" and CROMERR applies. In addition, there are special CROMERR rules under 40 CFR 3.2000(a) that govern the use of a wet ink signature on paper in conjunction with an e-report. (Additional detail on this combined approach is provided in Lesson 6.) documents to satisfy requirements under an authorized program As defined in § 3.3 of CROMERR, a federal program that EPA has delegated, authorized, or approved a state, tribe, or local government to administer, or a program that EPA has delegated, authorized, or approved a state, tribe or local government to administer in lieu of a federal program, under other provisions of Title 40 and such delegation, authorization, or approval has not been withdrawn or expired. must be able to generate data with respect to any such electronic document, as needed and in a timely manner, including a copy of record As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt. for the electronic document, sufficient to prove, in private litigation, civil enforcement proceedings, and criminal proceedings, that... (5) In the case of an electronic document that must bear electronic signatures of individuals as provided under paragraph (a)(2) of this section, that: (vii) For each electronic signature device used to create an electronic signature on the document, the identity of the individual uniquely entitled to use the device and his or her relation to any entity for which he or she will sign electronic documents has been determined with legal certainty by the issuing state, tribe, or local government. In the case of priority reports identified in the table in Appendix 1 of Part 3, this determination has been made before the electronic document is received, by means of: (A) Identifiers or attributes that are verified (and that may be re-verified at any time) by attestation of disinterested individuals to be uniquely true of (or attributable to) the individual in whose name the application is submitted, based on information or objects of independent origin As defined in § 3.3 of CROMERR, data or items that originate from a disinterested individual or are forensic evidence of a unique, immutable trait which is (and may at any time be) attributed to the individual in whose name the device is issued., at least one item of which is not subject to change without governmental action or authorization; or (B) A method of determining identity no less stringent than would be permitted under paragraph (b)(5)(vii)(A) of this section; or (C) Collection of either a subscriber agreement or a certification from a local registration authority that such an agreement has been received and securely stored.

Regulation Language: § 3.2000(b)(5)(i)

(b)An electronic document receiving system that receives electronic documents submitted in lieu of paper documents to satisfy requirements under an authorized program must be able to generate data with respect to any such electronic document, as needed and in a timely manner, including a copy of record for the electronic document, sufficient to prove, in private litigation, civil enforcement proceedings, and criminal proceedings, that... (5) In the case of an electronic document that beard electronic signatures of individuals as provided under paragraph (a)(2) of this section, that: (i) Each electronic signature was a valid electronic signature at the time of signing

Regulation Language: § 3.2000(b)(5)(v)

(b) An electronic document receiving system that receives electronic documents submitted in lieu of paper documents to satisfy requirements under an authorized program must be able to generate data with respect to any such electronic document, as needed and in a timely manner, including a copy of record for the electronic document, sufficient to prove, in private litigation, civil enforcement proceedings, and criminal proceedings, that... (5) In the case of an electronic document that must bear electronic signatures of individuals as provided under paragraph(a)(2) of this section, that: (v) Each signatory has signed either an electronic signature agreement or a subscriber agreement with respect to the electronic signature device used to create his or her electronic signature on the electronic document

Cross-Media Electronic Reporting Rule

  • Learn about the Cross-Media Electronic Reporting Rule (CROMERR)
  • CROMERR 101 Training
    • Lesson 1: Overview of the Final Rule
      • Lesson 1: What Does the Rule Do?
      • Lesson 1: What Does the Rule NOT Do?
      • Lesson 1: Who is Affected?
      • Lesson 1: When Does the Rule NOT Apply?
      • Lesson 1: End of Lesson
    • Lesson 2: Quick Tour of the Final Rule
      • Lesson 2: End of Lesson
    • Lesson 3: Application Requirements
      • Lesson 3: Required Elements of a CROMERR Application
      • Lesson 3: Typical Application Components
      • Lesson 3: Cover Sheet
      • Lesson 3: Attorney General (AG) Certification
      • Lesson 3: System Description(s)
      • Lesson 3: Submitting the Application
      • Lesson 3: End of Lesson
    • Lesson 4: The EPA Review and Approval Process under Part 3
      • Lesson 4: Technical Review Committee (TRC)
      • Lesson 4: End of Lesson
    • Lesson 5: CROMERR-Compliant Electronic Reporting
      • Lesson 5: Overview of CROMERR Requirements for Electronic Reporting
      • Lesson 5: Requirements for Authorized Program e-Reporting
      • Lesson 5: Standards for an Acceptable Electronic Document Receiving System
      • Lesson 5: Defining "Valid Electronic Signatures"
      • Lesson 5: System Requirements for Receiving e-Signatures
      • Lesson 5: Priority vs. Non-Priority Reports
      • Lesson 5: Title: Enforceability Provisions
      • Lesson 5: Title: End of Lesson
    • Lesson 6: Using the Checklist to Work through System Requirements
      • Lesson 6: Registration
      • Lesson 6: Signature Process
      • Lesson 6: Submission Process
      • Lesson 6: Signature Validation
      • Lesson 6: Copy of Record (COR)
      • Lesson 6: The CROMERR Requirements and the Checklist Items
      • Lesson 6: End of Lesson
    • Lesson 7: From Requirements to Solutions
      • Lesson 7: From Requirements to Specific Solutions
      • Lesson 7: From Requirements to Specific Solutions Two Key Decisions
      • Lesson 7: Key Decision 1 - Type of Credential Used
      • Lesson 7: Key Decision 1 - Type of Credential Used (continued)
      • Lesson 7: Key Decision 2 - Defining the Copy of Record (COR)
      • Lesson 7: From Key Decisions to CROMERR-Compliant Solutions
      • Lesson 7: End of Lesson
    • Lesson 8: Four Critical Checklist Items
      • Lesson 8: CROMERR System Checklist Items
      • Lesson 8: Additional Sample Solutions
      • Lesson 8: End of Lesson
  • Overview for CROMERR
  • Program Announcements & Initiatives
  • Approved CROMERR Applications
  • CROMERR Federal Register Notices
  • Application Tools & Templates
  • Sample Applications & Checklists
  • Glossary
  • Frequently Asked Questions
  • Help Desk
Contact Us about Cross-Media Electronic Reporting Rule
Contact Us to ask a question, provide feedback, or report a problem.
Last updated on November 12, 2024
  • Assistance
  • Spanish
  • Arabic
  • Chinese (simplified)
  • Chinese (traditional)
  • French
  • Haitian Creole
  • Korean
  • Portuguese
  • Russian
  • Tagalog
  • Vietnamese
United States Environmental Protection Agency

Discover.

  • Accessibility Statement
  • Budget & Performance
  • Contracting
  • EPA www Web Snapshot
  • Grants
  • No FEAR Act Data
  • Plain Writing
  • Privacy
  • Privacy and Security Notice

Connect.

  • Data
  • Inspector General
  • Jobs
  • Newsroom
  • Regulations.gov
  • Subscribe
  • USA.gov
  • White House

Ask.

  • Contact EPA
  • EPA Disclaimers
  • Hotlines
  • FOIA Requests
  • Frequent Questions
  • Site Feedback

Follow.