Supporting_Statement

Supporting_Statement.doc

Financial Information Security Request Form

OMB: 0596-0204

Document [doc]
Download: doc | pdf


The Supporting Statement for OMB 0596-0204

Financial Information Security Request Form

June 2007


Terms of Clearance

In accordance with 5 CFR 1320.5(a)(1)(F), prior to the agency's next request for OMB approval, the agency shall address the comments received from respondents regarding the clarity and burden of the information.

Forest Service Response:

Comments from contractors contacted as part of the emergency Information Collection Request submitted in February 2007 are included in item A.8. of this package. The Forest Service offers the following response to these concerns:

The Forest Service has spoken again with each of the commenters and taken action on significant areas of concern. Minor issues were resolved informally.

The Forest Service computer specialists have added a statement to the form explaining why specific training is necessary before a user may request access to certain financial systems. Required fields are flagged for the user, and must be filled out before user can move to the next screen. After the form is completed, the closeout process includes a notice to fax the form (along with the appropriate fax number). An automatic process includes a response to the user, acknowledging receipt of the fax.

All users (Federal employees and contractors) are required to respond to the two questions about IT Security and Privacy Act Basics training. Responses may be validated by reviewing a report of a user’s training history via the USDA training site (Aglearn) or certification by a user’s supervisor. Additional guidelines are posted on the Forest Service Finance Center’s internal website. In addition, briefings have been held with Finance Center employees to answer any security related questions.

  1. Justification


  1. Explain the circumstances that make the col­lection of information necessary. Iden­tify any legal or administrative require­ments that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the col­lection of information.

Regulations:

  • USDA DR-3140 (ADP Security Policy)

  • USDA DM-3140 (ADP Security Manual)

  • Public Law 107-347 – Federal Information Security Reform Act of 2002

  • Public Law 104-106 – Information Technology Management Reform Act of 1996

  • Title VI: NFC Security Access Procedures, Chapter 1 – Agency Liaison and Security Access, Section I: Security Access (unavailable electronically from NFC due to security constraints). The Guidelines Security Officers follow are defined in the NFC Client Security Officer Training Manual that is a part of the NFC Security Access Procedures noted above.

The majority of the Forest Service’s financial records are in databases stored at the National Finance Center (NFC). The Forest Service uses employees and contractors to maintain these financial records. The employees and contractors must have access to NFC to perform their duties.

USDA DR-3140 and USDA DM-3140 require managers of computer processing operations to provide controlled access to facilities and computer resources. USDA agencies must designate unit ADP Security Officers (Client Security Officer). The unit’s Client Security Officer is responsible for management of access to computers and coordinates all requests for National Finance Center (NFC) access. NFC grants access to users only at the request of Client Security Officers. At present, there are two Client Security Officers at the Albuquerque Service Center. No field units are performing these functions.

In the past, the Forest Service used a paper version of form FS-6500-214 – Financial Information Security Request to apply to NFC for access for a specific employee or contractor. A Forest Service employee filled out the form for a contractor; the contractor and Client Security Officer signed the form, and faxed it to NFC. The paper form has become obsolete with the initiation of the electronic version of the form.

An electronic version of this form is available and used by employees. Due to program management decisions and budget constraints, it has been determined that contractors will need to complete and submit the form. No Forest Service employees are available to complete and submit the form requesting contractor access to NFC.

  1. Indicate how, by whom, and for what pur­pose the information is to be used. Except for a new collec­tion, indicate the actual use the agency has made of the infor­ma­tion received from the current collec­tion.

  1. What information will be collected - reported or recorded? (If there are pieces of information that are especially burdensome in the collection, a specific explanation should be provided.)

The contractor and the Forest Service Lotus Notes Database provide the information necessary to complete form FS-6500-214. The contractor verifies completion of two courses within the last year: Privacy Act Basics and IT (Information Technology) Security. The contractor then enters the Lotus Notes short name assigned by the Forest Service. Using the Lotus Notes short name, the screen is populated with information that the contractor can change if incorrect: Name, work email, work telephone number, and job title. The contractor checks the box for a nonfederal employee and provides the expiration date of the contract. The contractor then selects the databases and actions needed. Based on the database(s) selected, the contractor provides additional information regarding the financial systems, work location, access scope, etc. Once the form submitted to the Client Security Officer, a one-page agreement automatically prints, which the contractor and Client Security Officer sign. The agreement is a certification statement that acknowledges the contractor’s recognition of the sensitive nature of the information and agrees to use the information only for authorized purposes.

Maintenance of records is according to filing schedule 6610-2 (Systems Management and Administration), retention period ends 3 years after termination of access.

  1. From whom will the information be collected? If there are different respondent categories (e.g., loan applicant versus a bank versus an appraiser), each should be described along with the type of collection activity that applies.

Contractors hired by the Forest Service to maintain financial records stored at NFC. Contracted employees usually work for a company who has a contract with the Forest Service. The contracted employees work various schedules, some work full time and some on a seasonal basis.

  1. What will this information be used for - provide ALL uses?

The information will be used to determine what level of access to NFC financial systems is to be granted to contractors hired by the Forest Service.

  1. How will the information be collected (e.g., forms, non-forms, electronically, face-to-face, over the phone, over the Internet)? Does the respondent have multiple options for providing the information? If so, what are they?

Electronic form FS-6500-214 is used to gather the information.

  1. How frequently will the information be collected?

Collection occurs approximately three times a year per contractor – when contractor hired, to make modifications to a contractor’s access, and termination of access.

  1. Will the information be shared with any other organizations inside or outside USDA or the government?

Only with those managing or overseeing the financial systems used by the Forest Service, this includes auditors.

  1. If this is an ongoing collection, how have the collection requirements changed over time?

This is a new collection.

  1. Describe whether, and to what extent, the collection of information involves the use of auto­mat­ed, elec­tronic, mechani­cal, or other techno­log­ical collection techniques or other forms of information technol­o­gy, e.g. permit­ting elec­tronic sub­mission of respons­es, and the basis for the decision for adopting this means of collection. Also, describe any con­sideration of using in­fo­r­m­a­t­ion technolo­gy to re­duce bur­den.

Except for a short acknowledgement form printed at the end of the application process, the information collection occurs within the electronic environment using form FS-6500-214. The form consists of a series of data entry screens. Some data items self-populate the screen after entry of the contractor’s Lotus Notes short name. The form is submitted electronically to the Client Security Officer for approval. The form’s data fields are validated using data stored electronically at NFC. It takes approximately 10 minutes for a contractor to complete and submit the access request. Use of an electronic form will eliminate redundant requests.

  1. Describe efforts to identify duplica­tion. Show specifically why any sim­ilar in­for­mation already avail­able cannot be used or modified for use for the purpos­es de­scri­bed in Item 2 above.

The information collected is unique to the Forest Service. Collection of the information occurs as needed for the specific purpose of requesting and acquiring access to NFC data. This information collection is necessary to meet information security and financial management requirements.

  1. If the collection of information im­pacts small businesses or other small entities, describe any methods used to mini­mize burden.

The information has no impact on small businesses or other small entities, other than those contracting with the Forest Service to provide assistance in maintaining financial records. The impact is the minimal necessary to meet regulations and does not place an undo burden on contractors.

  1. Describe the consequence to Federal program or policy activities if the collection is not conducted or is con­ducted less fre­quent­ly, as well as any technical or legal obstacles to reducing burden.

Without collection of this information, contractors would not be able to request access to the records necessary to accomplish duties. Using Forest Service employees to process the requests would complicate the request process and result in duplication of effort at many levels of the organization, as well as the need to establish additional procedures for the processing of this information. Self-service application/collection programs such as this stream line operations and enable federal employees to focus on tasks that are more important.

  1. Explain any special circumstances that would cause an information collecti­on to be con­ducted in a manner:

  • Requiring respondents to report informa­tion to the agency more often than quarterly;

Contractors switching jobs, acquiring additional duties, and filling in for co-workers would necessitate requesting modifications to NFC access and documentation for security audits.

  • Requiring respondents to prepare a writ­ten response to a collection of infor­ma­tion in fewer than 30 days after receipt of it;

  • Requiring respondents to submit more than an original and two copies of any docu­ment;

  • Requiring respondents to retain re­cords, other than health, medical, governm­ent contract, grant-in-aid, or tax records for more than three years;

  • In connection with a statisti­cal sur­vey, that is not de­signed to produce valid and reli­able results that can be general­ized to the uni­verse of study;

  • Requiring the use of a statis­tical data classi­fication that has not been re­vie­wed and approved by OMB;

  • That includes a pledge of confidentiality that is not supported by au­thority estab­lished in statute or regu­la­tion, that is not sup­ported by dis­closure and data security policies that are consistent with the pledge, or which unneces­sarily impedes shar­ing of data with other agencies for com­patible confiden­tial use; or

  • Requiring respondents to submit propri­etary trade secret, or other confidential information unless the agency can demon­strate that it has instituted procedures to protect the information's confidentiality to the extent permit­ted by law.

There are no other special circumstances. The collection of information is conducted in a manner consistent with the guidelines in 5 CFR 1320.6.

  1. If applicable, provide a copy and iden­tify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8 (d), soliciting com­ments on the information collection prior to submission to OMB. Summarize public com­ments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address com­ments received on cost and hour burden.

A Federal Register notice advertising the 60-day comment period was published on Thursday, April 26, 2007 (Vol. 72, Page 20814). No comments were received in response to this notice.

Describe efforts to consult with persons out­side the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and record keeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years even if the col­lection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.

Three contracted employees commented on this collection of information at the request of the Forest Service proponent of this collection.

Commenter 1: Linda Smith (RWC), (505) 563-7151,

Comments:

  • Was the form easy to use?

It was easy to use, however, if you are asking to have access extended past the current expiration date you cannot fill in your ID numbers for the systems you have access to and hit continue as it takes to you a screen with the Add an NFC system record. It will not let you continue unless you click on one of the options, which none apply to this request. So what has to be done is to skip to the end and type your information into the comment field.

  • Do you understand why the form is needed?

Yes, I do understand why the form is needed.

Commenter 2: Mike Gagnon (RWC, (505) 563-7664,

Comments:

Is this testing for OMB or for the ASC\FS Field security access request as this form resides on the Region 3 SQL Server?

  • The user can enter any completed date they want. The completed date should just populate as the request date appears on the top of the second page.

  • George Wren's name appears as George C Wren". It adds a double quote at the end of the name.

  • Instructions as to which fields are required or need to be completed could be clearer.

  • I didn't expect that after I entered my lotus short name that the screen would go blank, thought something went wrong.

  • If I try to use the Previous Button it wouldn't let me go back without completing all the fields.

  • If my phone number can be populated from my lotus notes information, why can't the supervisor’s phone number be populated?

  • If I choose the reset form button, it makes me start over again instead of just resting just that page.

  • What happens after this information has been collected? Will I get an email after the changes have been updated to my profile? What are the steps that follow? What's the turn around time?

  • A contractor my not know what region unit they are working in.

  • Not clear on what the expiration date means on the second page.

  • If I answer no to any question on page one, I am directed to another page stating that you must have completed both IT and Privacy Act training. When I click the next page button I go no where, except the same page. At this point the user should be told something, like close your browser.

  • If I check yes to both questions without having the proper training, is there some kind of validation that is done, before updating someone's profile.

Commenter 3: Darryl Brown, (505) 563-7130,

Comments:

  • Was the form easy to use?

Yes, simple to follow

  • Do you understand why the form is needed?

Yes

Response:

The Forest Service has spoken again with each of the commenters and taken action on significant areas of concern. Minor issues were resolved informally.

The Forest Service computer specialists have added a statement to the form explaining why specific training is necessary before a user may request access to certain financial systems. Required fields are flagged for the user, and must be filled out before user can move to the next screen. After the form is completed, the closeout process includes a notice to fax the form (along with the appropriate fax number). An automatic process includes a response to the user, acknowledging receipt of the fax.

All users (Federal employees and contractors) are required to respond to the two questions about IT Security and Privacy Act Basics training. Responses may be validated by reviewing a report of a user’s training history via the USDA training site (Aglearn) or certification by a user’s supervisor. Additional guidelines are posted on the Forest Service Finance Center’s internal website. In addition, briefings have been held with Finance Center employees to answer any security related questions.

        1. Explain any decision to provide any payment or gift to respondents, other than re-enumeration of contractors or grantees.

Respondents will not receive payments or gifts for responses, other than that given to contractors.

  1. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.

The contractors are responding as part of contracted responsibilities. There is no assurance of confidentiality.

  1. Provide additional justification for any questions of a sensitive nature, such as sexual behavior or attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

There are no questions of a sensitive nature associated with this information collection.

  1. Provide estimates of the hour burden of the collection of information. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated.

Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. If this request for approval covers more than one form, provide separate hour burden estimates for each form.

a) Description of the collection activity

b) Corresponding form number (if applicable)

c) Number of respondents

d) Number of responses annually per respondent,

e) Total annual responses (columns c x d)

f) Estimated hours per response

g) Total annual burden hours (columns e x f)

(a)

Description of the Collection Activity

(b)

Form Number

(c)

Number of Respondents

(d)

Number of responses annually per Respondent

(e)

Total annual responses

(c x d)

(f)

Estimate of Burden Hours per response

(g)

Total Annual Burden Hours

(e x f)

Completion of access request

FS-6500-214

50

3

150

10 minutes

25

Totals

---

50

---

150

---

25



Record keeping burden should be addressed separately and should include columns for:

a) Description of record keeping activity: None

b) Number of record keepers: None

c) Annual hours per record keeper: None

d) Total annual record keeping hours (columns b x c): Zero

Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories.

Respondents are contractors who are providing information as part of contracted duties. Therefore, there are no annualized costs to respondents.

  1. Provide estimates of the total annual cost burden to respondents or record keepers resulting from the collection of information, (do not include the cost of any hour burden shown in items 12 and 14). The cost estimates should be split into two components: (a) a total capital and start-up cost component annualized over its expected useful life; and (b) a total operation and maintenance and purchase of services component.

There are no capital operation and maintenance costs.

  1. Provide estimates of annualized cost to the Federal government. Provide a description of the method used to estimate cost and any other expense that would not have been incurred without this collection of information.

The response to this question covers the actual costs the agency will incur as a result of implementing the information collection. The estimate should cover the entire life cycle of the collection and include costs, if applicable, for:

  • Employee labor and materials for developing, printing, storing forms

  • Employee labor and materials for developing computer systems, screens, or reports to support the collection

  • Employee travel costs

  • Cost of contractor services or other reimbursements to individuals or organizations assisting in the collection of information

  • Employee labor and materials for collecting the information

  • Employee labor and materials for analyzing, evaluating, summarizing, and/or reporting on the collected information


Activity

Cost to Government


Forest Service Employee Labor for filing signed acknowledgement forms

150 forms per year multiplied by 2 minutes per form multiplied by cost to government of GS-7/Step-1 ($20.93) = $104.65

Forest Service Employee Labor for developing computer systems and screens to collect information

How much did it cost to develop the program?

No additional cost beyond that incurred to develop program for use by Forest Service employees

Cost of contractors

150 contractor hours multiplied by $93.55 per hour = $14,032.50

Total Cost to Government

$14,137.15 $14,140.00



  1. Explain the reasons for any program changes or adjustments reported in items 13 or 14 of OMB form 83-I.

There are no changes or adjustments to this collection.

  1. For collections of information whose results are planned to be published, outline plans for tabulation and publication.

There are no plans to publish the results of this information collection.

  1. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

The Forest Service would like to omit the expiration date of the OMB approval, as the electronic form and data collection process are the same for contractors and Forest Service employees. Including the expiration date would cause confusion.

  1. Explain each exception to the certification statement identified in item 19, "Certification Requirement for Paperwork Reduction Act."

No exceptions to the Certification Requirement for the Paperwork Reduction Act are identified.

B. Collections of Information Employing Statistical Methods

This collection does not employ statistical methods, therefore part B has been omitted from this response.

Page 10

File Typeapplication/msword
File TitleDRAFT
AuthorPCxx
Last Modified ByFSDefaultUser
File Modified2007-06-21
File Created2007-02-14

© 2024 OMB.report | Privacy Policy