NetDMR and Login.gov: What Changed, What Broke, and How to Fix It

If you tried to log into NetDMR in or after August 2024 and found that your password no longer worked, you were not alone. EPA's Central Data Exchange (CDX) — the authentication layer that had governed access to NetDMR for years — migrated to Login.gov as its identity provider. The change was announced in advance, but the implementation caught many operators off guard, and the failure mode was not obvious: your old username and password did not produce an error message explaining why they failed. For many users, the portal simply rejected their credentials with no clear path forward.

This post explains what actually changed, walks through the steps to restore or create access, identifies the most common errors people encounter during the migration, and covers what to do if you found yourself locked out at a deadline.

What Changed in August 2024

EPA's CDX platform is the umbrella system through which regulated entities submit data to EPA electronically — not just DMRs, but dozens of other reporting programs. Prior to the migration, CDX had its own username and password system that it managed internally. You created a CDX account, requested access to NetDMR specifically, and your state agency approved you as an authorized signatory or data provider.

Login.gov is a separate federal identity platform operated by the General Services Administration (GSA), not EPA. It was created to provide a unified, secure authentication system across many federal agencies. You may already have a Login.gov account if you have applied for federal benefits, accessed USAJOBS, or used other federal services. The important point is that Login.gov is not the same system as CDX. It is an identity provider that CDX now delegates authentication to.

After the migration, when you navigate to CDX and attempt to log in, you are redirected to Login.gov to verify your identity. Login.gov then passes an authentication token back to CDX, which grants you access. The CDX account still exists — your NetDMR authorizations, facility associations, and signatory rights remain in CDX — but the credential that proves your identity is now managed by Login.gov.

Step-by-Step: Creating a Login.gov Account for NetDMR

If you do not yet have a Login.gov account, or if the email address associated with your old CDX account does not match any Login.gov account, here is the correct sequence:

1. Go to login.gov and click "Create an account." Use the same email address you used for your CDX account. This is important: if the emails do not match, CDX will not be able to link your Login.gov authentication to your existing CDX profile and NetDMR authorizations.
2. Verify your email address by clicking the link Login.gov sends. This step must be completed before you can proceed.
3. Set up multi-factor authentication (MFA). Login.gov requires at least one MFA method. Options include an authenticator app (recommended), SMS text message, security key, or backup codes. For a work context, an authenticator app like Google Authenticator or Microsoft Authenticator is the most reliable choice because it does not depend on a specific phone number remaining active.
4. Complete identity verification if prompted. For higher-assurance access, Login.gov may ask you to verify your identity using a government-issued ID. This step may or may not be required depending on the access level CDX requires.
5. Return to CDX (cdx.epa.gov) and click "Sign in with Login.gov." You will be redirected to Login.gov, enter your new credentials, complete MFA, and be returned to CDX. CDX should recognize your account based on the matching email address and restore access to your linked programs including NetDMR.

If CDX does not recognize your account after successful Login.gov authentication — meaning it presents you with a "new user" flow rather than your existing profile — stop and contact the EPA help desk before creating a duplicate account. The issue is typically an email mismatch that requires backend reconciliation by EPA staff.

Why Your Old CDX Password No Longer Works

This is the source of the most confusion. CDX credentials — the username and password you previously used — were not migrated to Login.gov. They are two entirely separate systems with separate credential stores. Login.gov has no knowledge of your CDX password, and CDX is no longer using its own password system for authentication. There is no way to "transfer" your old password.

This is by design. Login.gov enforces stronger security standards — phishing-resistant MFA, identity proofing, and stricter password policies — than the legacy CDX credential system provided. The tradeoff is that the migration required every user to take an active step rather than experiencing a seamless transition. Anyone who did not see the advance communication and did not proactively create a Login.gov account before the cutover date found themselves unable to log in the next time they needed to submit.

Common Errors During the Migration

Several specific failure modes appear repeatedly. Knowing them in advance saves significant troubleshooting time:

Email mismatch: The most common issue. Your CDX account was registered with a work email address that has since changed (organization rebrand, staff email update, ISP change), or you attempt to create a Login.gov account with a personal email while your CDX account uses your work email. The fix is always to use the exact email address on record in CDX.

Old bookmarks pointing to deprecated URLs: Many operators bookmarked the direct NetDMR login URL rather than going through CDX. After the migration, those direct URLs no longer function as authentication entry points. Always start at cdx.epa.gov and navigate to NetDMR from there.

MFA setup on a device you no longer have: If you configured Login.gov MFA on a phone that was subsequently lost, replaced, or has a different number, you can be locked out of Login.gov itself. Login.gov has an account recovery process, but it requires at least one backup method to have been configured. This is why setting up backup codes during initial account creation is important.

Browser compatibility and cookie issues: CDX and Login.gov use redirect flows that depend on cookies and session state. Private/incognito mode, aggressive cookie blocking, or outdated browsers can break the redirect loop. Use a standard browser session and ensure third-party cookies from epa.gov and login.gov are not being blocked.

Corporate firewall blocking Login.gov: Some municipal IT departments have allowlists for federal domains. If login.gov is not on the allowlist, the redirect from CDX will fail silently or produce a generic error. Contact your IT department to verify that login.gov is permitted.

What to Do If You Are Locked Out

If you cannot get in and have a submission deadline approaching, here is the priority sequence:

1. Contact the EPA NetDMR help desk at EPANetDMR@epa.gov. Include your facility name, permit number, CDX username if you know it, and a description of the specific error you are seeing. Allow 1–2 business days for a response, though urgent requests tied to imminent deadlines are often handled faster.
2. Contact your state NPDES authority simultaneously. Your state agency can note in their records that you experienced a system access issue, which is relevant if a late submission ends up in a compliance review. Get this communication in writing — email is fine — and document the date and time you reported the issue.
3. Keep screenshots of every error message you encounter. These are your evidence that the failure was a system issue, not a failure to attempt submission.
4. Do not attempt to submit your DMR by mail or fax unless your permit or state agency explicitly directs you to do so as an emergency alternative. Some states have specific backup procedures; confirm with your state agency before taking an alternative path.

Staff Turnover and Non-Transferable Accounts

NetDMR accounts are tied to individual people, not to facilities or organizations. An authorized signatory is a specific named individual who has signed EPA Form 3510-6 or the equivalent electronic signature agreement. That authorization cannot be transferred to another person, even temporarily. When the person who holds signatory authority for your facility leaves, retires, or is unavailable, no one else can legally sign and submit DMRs until a new authorized signatory is registered and approved by the state agency.

The approval process for a new authorized signatory typically takes days to weeks depending on your state. This is not the process you want to be starting the week before a submission deadline.

The mitigation is to maintain at least two current authorized representatives at all times, and to review and update the list annually. Designate one primary and one backup. Ensure both have active Login.gov accounts with working MFA, and have both log into NetDMR at least quarterly to confirm access. A Login.gov account that goes unused for an extended period can require re-verification. Catching this during a routine check is far less stressful than discovering it on deadline day.

System Outages During Submission Deadlines

NetDMR, like any online system, experiences periodic outages. When an outage coincides with a submission deadline, the documentation procedure is critical. Here is what to do:

1. Screenshot the error. Capture the full browser window including the URL bar and a timestamp visible somewhere (your system clock in the screenshot, or a visible date on the page). Take multiple screenshots at different times to show the outage duration.
2. Check EPA's system status page and CDX announcements for any posted outage notices. If EPA has acknowledged the outage officially, save that documentation.
3. Email your state NPDES authority immediately describing the situation: date, time, what you were attempting to do, what error you received, and how long the outage lasted. Send this email during the outage, not after the fact.
4. Attempt submission again as soon as the system is restored. Most state agencies have policies allowing late submissions caused by documented system outages to be treated as timely, but this protection only applies when you have documented your attempts.
5. Keep all documentation — screenshots, emails, and your own log — for at least three years. Compliance audits can look back that far, and documented system outages are a recognized affirmative defense.

The consistent theme across login issues, staff turnover, and outages is preparation time. Every one of these situations becomes significantly less damaging when it is not discovered at the moment of a submission deadline. Quarterly account verification drills, current authorized representative rosters, and documented backup contacts at your state agency are low-effort investments that absorb what would otherwise be compliance-threatening disruptions.