CROMERR and Electronic Signatures in nVIRO

Overview

nVIRO can be configured to require that certain forms be electronically signed before they are submitted. A user must be authorized to electronically sign before they are allowed to do so. Individual forms can be configured to require an electronic signature.

nVIRO’s electronic signature functionality is designed to meet the EPA Cross Media Electronic Reporting Rule (CROMERR) requirements. The CROMERR rule lays out specific requirements for electronically receiving, transmitting and storing electronic documents from an external party. The purpose of CROMERR is to ensure that electronically transmitted documents are legally defensible in the event that their origin or content becomes contested. While CROMERR addresses specific aspects of document encryption and storage, this article focuses specifically on the following aspects of electronic signatures:

  1. User security and configuration that allow a user to electronically sign,

  2. Configuring forms to require an electronic signature, and

  3. Applying an electronic signature to a submission.

Note that only external accounts can be granted signature authority. Internal agency user accounts cannot be granted electronic signature rights. Internal agency users can fill out and submit forms without being subjected to the electronic signature steps.

User Electronic Signature Settings and Requirements

In order for a user to electronically sign a form in nVIRO, they must satisfy two requirements:

  1. The user’s account must be granted signature authority, and

  2. The user must be granted certifier rights to sign forms for a specific facility or entity.

Each step is performed separately and can be performed in any order. The sections below describe each setting in detail.

Viewing and Editing External User's Signature Authority

The signature authority is granted as a setting on the user’s account. The process for granting signature authority to an account varies depending on how an nVIRO instance is configured. Regardless of the method, the user’s rights can be seen (and sometimes updated) by a security administrator on the User Details screen. By default, the checkbox labeled “Certifier Agreement Received and Approved” will indicate if the account has been granted signature authority.

nVIRO Configuration Options for Setting User’s Signature Authority

The following configuration options are available for setting user’s signature authority:

  1. Paper Form - External user must download, sign, and mail a form to the agency. An authorized internal user will process the paper form and will check the “Certifier Agreement Received and Approved” checkbox once it is determined the user should be granted signature authority.

  2. Shared CROMERR Services LexisNexis Identity Proofing - External user fills out and submits an online signature agreement from the User Profile screen. Next, the user is presented with an online identity-proofing process via LexisNexis Identity Proofing services. This option requires an agreement to be established between the agency and LexisNexis and additional special configuration by Windsor. If the user is not able to pass identity proofing, they are presenting with a link to download a hardcopy signature form

  3. Third-Party System Integration - User is granted signature authority through integration with a third-party system, such as an agency user management portal.

The option above is set via Deployment Setting that is configured by Windsor. The setting ID is UI.CERTIFIER.VERIFICATION_TYPE. Deployment settings are visible from the Admin Lookups screen.

Granting Certifier Rights to a Specific Facility or Entity

External users must also be granted rights to electronically sign forms for a specific facility. The certifier rights are performed from the User Role screen. The User Role screen is accessed from the Site Authorized Users list screen.

Setting a User’s Certifier Status to Approved (as an Internal User)

Delegating Certifier Approval Authority to External Administrators

nVIRO can be configured to allow external users who have the Administrator role on a site to approve and deny certifier rights for other users on the same site. This is controlled by deployment setting ACCT.ADMIN_CERT_EDIT and can be updated by Windsor.

When this setting is enabled, all administrators are granted certifier authority on sites to which they are granted access.

Updating a User’s Certifier Status

The certifier status settings display differently depending on the user and the existing status.

Currently Logged-in User

User Role Record

Options

Currently Logged-in User

User Role Record

Options

Internal user with security management permissions
or
External user with “Administrator” role for site and administrators

No certifier status assigned, “Pending”, or “Denied”

Drop down displays allowing setting user role to “Approved” or “Denied”

Internal user with security management permissions
or
External user with “Administrator” role for site

No certifier status assigned or “Approved”

Certifier Status is read-only

External User (non-Administrator)

User is viewing own record and there is no history of certifier access on the site

“Request Certifier Access” button appears. Once clicked, transitions to “Pending” status

Automatically Granting Certifier Status on New Sites

nVIRO can be configured to automatically grant an external user certifier status on new sites that they create. This option is turned off by default. This is controlled by deployment setting ACCT.CERT_APPROVED_NEW_SITES and can be updated by Windsor.

Configuring a Form to Require an Electronic Signature

When configuring an nFORM form, the Certification Requirements tab provides settings for enabling electronic signatures.

nFORM Certification Requirement Configuration

The three options that control form behavior upon submission are:

  • Signature(s) Required checkbox,

  • Electronic Signature checkbox, and

  • Enhanced Certification checkbox.

Depending on the options selected, the submission behavior varies as described below

  • If only the Signatures Required checkbox is checked, the user simply clicks the “Submit Form” button to submit the form.

  • If the Signature(s) Required and Electronic Signature checkboxes are checked, the user must check a box stating they agree to the terms above before submitting

  • If the Signature(s) Required, Electronic Signature and Enhanced Certification checkboxes are all checked, the user must perform the entire CROMERR certification process consisting of:

    • Checking the boxes next to each of the pre-configured certification statements

    • Entering two security factors to verify their identity; typically their password and answering a pre-configured security question

The image below illustrates a typical signing screen for a form that has been configured for all three signing options above.

 

Related pages