Lesson 6: The CROMERR Requirements and the Checklist Items
From the detailed discussion of the CROMERR System Checklist items, it should be evident that each checklist item corresponds to specific CROMERR requirements, and vice versa.
The tables on this page make this correspondence explicit.
- The first table maps CROMERR requirements to the corresponding checklist items.
- The second table maps checklist items to the corresponding CROMERR requirements.
On this page:
- The CROMERR Requirements and the Checklist Items
- Mapping Processes and Checklist Items to Requirements
- Template
The CROMERR Requirements and the Checklist Items
System Requirements | Related Checklist Items |
---|---|
§ 3.2000(b)(1): The e-document is not alterable without detection. | Items 8, 10, 18, 19, 20 |
§ 3.2000(b)(2): Alterations to the e-document are documented by the system. | Items 8, 10, 18, 19, 20 |
§ 3.2000(b)(3): The e-document can only be submitted intentionally. | Item 11 |
§ 3.2000(b)(4): Submitters and signers can review the COR As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt. of the e-document. | Item 9 |
§ 3.2000(b)(5): If an e-signature is required, then the e-document meets e-signature requirements: | |
(i) Signature valid at time of signing | Items 1, 2, 3, 13, 14, 15, 16 |
(ii) Document cannot be altered without detection after signing | Items 5, 17 |
(iii) Opportunity to review content | Item 6 |
(iv) Opportunity to review certifications statement | Item 7 |
(v) Receipt Acknowledgement | Item 4 |
(vi) E-signature agreements | Item 12 |
(vii) Identity proofing with legal certainty | Items 1, 2 |
Mapping Processes and Checklist Items to Requirements
Checklist Items | System Requirement |
---|---|
Registration | |
1. Identity-Proofing of Registrant | § 3.2000(b)(5)(vii) |
2. Determination of Registrants Signing Authority | § 3.2000(b)(5)(vii) § 3.2000(b)(5)(i) |
3. Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise In relationship to an electronic signature device, refers to when the device's code or mechanism is available for use by any other person. | § 3.2000(b)(5)(i) |
4. Electronic Signature Agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an electronic signature device that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from compromise; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature. | § 3.2000(b)(5)(v) |
Signature Process | |
5. Binding of Signatures to Document Content | § 3.2000(b)(5)(ii) |
6. Opportunity to Review Document Content | § 3.2000(b)(5)(iii) |
7. Opportunity to Review Certification Statements and Warnings | § 3.2000(b)(5)(iv) |
Submission Process | |
8. Transmission Error Checking and Documentation | § 3.2000(b)(1)(2) |
9. Opportunity to Review COR | § 3.2000(b)(4) |
10. Procedures to Address Submitter or Signatory | § 3.2000(b)(1)(2) |
11. Procedure to Flag Accidental Submissions | § 3.2000(b)(3) |
12. Automatic Acknowledgement of Submission | § 3.2000(b)(5)(vi) |
Signature Validation | |
13. Credential Validation | § 3.2000(b)(5)(i) |
14. Signatory Authorization | § 3.2000(b)(5)(i) |
15. Procedures to Flag Counterfeit Credential Use | § 3.2000(b)(5)(i) |
16. Procedures to Revoke or Reject Compromised Credentials | § 3.2000(b)(5)(i) |
17. Confirmation of Signature Binding to Document Content | § 3.2000(b)(5)(ii) |
COR | |
18. Creation of COR | § 3.2000(b)(1)(2) |
19. Timely Availability of COR, as needed | § 3.2000(b)(1)(2) |
20. Maintenance of COR | § 3.2000(b)(1)(2) |
Template
The CROMERR System Checklist can help states (for the purposes of CROMERR) Includes the District of Columbia and the United States Territories, as specified in the applicable statutes. that are preparing their CROMERR applications in two ways:
- First, it explains the CROMERR system requirements as specific system processes.
- Second, it provides an approach for documenting how a system meets CROMERR requirements, by describing how the system provides for each of the checklist items.
To support the second use of the checklist, EPA has also developed a corresponding CROMERR System Checklist Template—a document that provides a format for describing how the states system satisfies each of the checklist items. While the CROMERR System Template is not required for application, EPA strongly recommends its use.
For each checklist item, the template provides three blank spaces, for:
- Business Practices
- System Functions
- Supporting Documentation (a list of attachments)
Depending on the systems solution for the item, the description may fit into one, two, or all of these blanks.
The CROMERR website provides several examples of how to use the CROMERR System Checklist Template to successfully document CROMERR-compliant systems for receiving electronic reports.
See: Sample applications and checklists
For some systems that use EPA Shared CROMERR Services or other EPA-developed off-the-shelf solutions for CROMERR compliance a checklist might not be needed.
See: Application Tools & Templates
For some commercially-developed off-the-shelf solutions, some vendors of these solutions might have checklist templates with some of the required information prepopulated.