Central data exchange and the cross media electronic reporting and recordkeeping rule cromerrr
1 / 18

Central Data Exchange and The Cross-Media Electronic Reporting and Recordkeeping Rule (CROMERRR) - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: Pets / Animals

Central Data Exchange and The Cross-Media Electronic Reporting and Recordkeeping Rule (CROMERRR). Office of Environmental Information USEPA. Presented by Matt Leopard Presented to NGA State-EPA Forum at Charleston, SC January 9, 2001. Today’s Topics. CDX (Brief Overview)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Central Data Exchange and The Cross-Media Electronic Reporting and Recordkeeping Rule (CROMERRR)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Central Data Exchange and The Cross-Media Electronic Reporting and Recordkeeping Rule (CROMERRR)

Office of Environmental Information


Presented by Matt Leopard

Presented to NGA State-EPA Forum at Charleston, SC

January 9, 2001

Today’s Topics

  • CDX (Brief Overview)

  • CDX Approach to Addressing CROMERRR

  • Discussion

What Is Central Data Exchange?

CDX Features:

  • Multiple Submission Venues -> One Submission Point

  • Supports “Mass Customization”

    • Flexibility of submission formats (Web, XML, EDI)

    • Tailors submissions to specific customer

  • Uniformity Across Functions

    • registration, receipt, archiving, distribution, customer services, security

  • Leverages:

    • Widely-accepted PKI approach

    • Open Standards (XML, EDI)


EPA reports that:

Require signature

Do not require signature

Can accept HTML, XML, Flat and EDI files that EPA has endorsed

Currently supporting TRI, Air emission inventory, PCS/IDEF and drinking water exchanges, retooling CDX exchange process for DMRs

Eventually expand ER across all EPA collections

Not Supported:

Multiple Digital Signature Software Solutions

HTML, XML, EDI, or flat file formats not accepted by EPA

EPA Confidential Business Information (not yet)

Encryption Software Solutions (not yet)

CBI Applications not currently “supported” (these may include certain FIFRA, TSCA, Acid Rain and other reports)

Central Data Exchange

CDX Processes:

  • Registration

    • CDX registration

    • Certificate Authority registration

  • Routine Submission of Forms

  • Renewal


CDX Data Flow -Web:digital signature with copy of record



Note: User computer denotes interactions with CDX via web forms.

Invalid logon/ID - CDX message


Logon via SSL

Database for user access contains mailbox/profile validation for ID and password

CDX Welcome

Generic page for all users, help, how-to etc.

Virus Scan

Valid logon/ID


Digital signature information is saved

Archive 2




Invalid certificate/signature – CDX message

Call CDX for Help

My CDX Custom Menu

Choose formEdit/enter data

Sign and submit

Pre-population look-up

Data Base

Archive 1

Edit/sign and

submit form

CDX message (ack or ack + virus detected)


Certificate/signature validation

Official copy in PDF with EPA signature to Submitter

Archive 3

Archive 4

Official copy of record

Translated/parsed data

Certificate Arbitrator Module (CAM)

Failed translation/parsing CDX message

EPA Staging Server

Certificate Authority (CA)

Translate/Parse Data

Certificate Revocation List (CRL)

Renewal Process

  • Requires users of the system to renew w. CDX every two years:

    • Must sign agreement with CDX that:

    • have not in any way compromised or delegated access to private key

    • no other evidence that any of these items (password, desktop software, account) have been compromised

  • Must also verify certificate with EPA’s CA

CDX Approach to Key Issues

David Schwarz, USEPA

How is Submitter Identified?

Key Features:

  • Registration uses “Two-pronged approach”:

    • “In-house” Pre-screening by EPA through Registration Process

    • “EPA independent” identity proofing of individual by Certificate Authority (CA)

  • Requires “Wet-Ink” signature on Signature Agreement and Renewal Agreements

  • During routine submission:

    • CDX user identified by account password issued by CDX

    • “Digitally signed” submissions verified by EPA’s CA

How is the Signature Bound to the Submission?

Key Features:

  • Data for signature is posted to users CDX web account in “human readable’ web form regardless of original format of data received (XML, EDI, flat).

  • When user is ready to sign form, must:

    • Agree to “Truth and Accuracy Statement” pop-up

  • Digital signature is applied to “format and content” of web form viewed

  • Signed data stream is transmitted through an encrypted SSL session.

How is the Signature Protected Against Unauthorized Use?


  • Signature can only be generated by:

    • accessing CDX account on EPA’s system

    • accessing private key on the user’s desktop system

    • accessing CDX software on user’s desktop

  • Software, private key cannot be shared with network or copied to another system

  • “Web” of out-of-band exchanges (acknowledgments, copy of records, etc.) provide means of detecting compromise

How is the signer made aware of the commitment he is bound to?

  • Initial “Wet Ink” Signature Agreement

  • “Reminders” during use of system:

    • Upon logging onto/off user’s CDX account

    • Upon invoking digital signature

    • Through receipt of acknowledgements, copy of records

  • Must “renew” agreement every two years

How is data protected in transit? In storage?

  • “Digitally signed” data are submitted to EPA through SSL session with CDX

  • Password authentication, integrity checking and signature verification performed at CDX

  • Four-step archiving process captures “Snapshot” of signed data as it is received, authenticated, translated and presented back to user as copy of record.

The “Copy of Record”

  • What is it?

    • electronic document as it was signed

    • the verified digital signature affixed

    • the date and time of receipt

    • and EPA’s digital signature of the entire content

  • Admissibility of Copy of Record

    • Must demonstrate authenticity of record and source

    • Must also consider “evidentiary weight” of COR

Copy of Record


  • Copy of record “signed’ by EPA and provided back to user’s private account

  • Application of EPA’s digital signature prevents argument that data was altered

  • Centralized archiving and audit management functions ensure consistent process across submissions

  • Four-step archiving process ensures detailed historical record of document at each stage of CDX process


  • Login