Addendum to the Supporting Statement for 0960-0626

Addendum to the Supporting Statement for

Single Sign-On (SSO) & Integrated Registration Services (IRES)

20 CFR 401.45

OMB No. 0960-0626

Revision to the Collection Instrument

1. SSO & IRES – Registration & Authentication

We are adding new Single Sign-On functionality – which includes registration and authentication - and screens to SSA's current Integrated Registration Services (IRES) and to the back-end Customer Support Application (CSA – which supports the same services available through the automated IRES process) for SSA's Business Services Online (BSO). The Single Sign-On process will support the authentication and registration of individuals appointed by SSA claimants to represent them throughout the process of filing for benefits. After registering online, these Appointed Representatives will be able to gain access to SSA's Appointed Representative Suite of Services, which will allow them to do business with SSA electronically. We will need to collect and store some additional information from these individuals in order to register them and issue credentials in accordance with NIST 800-63 Guidelines. The purpose of Single Sign-On is to implement a unified registration model providing a single credential and consolidation of security and access management across Business-to-Government (B2G) services. This revised clearance request covers the functionality needed to begin to bring the Appointed Representative community into the arena of SSA's electronic services. SSA will implement Phase 1 of this new process in October of 2009.

SSA currently has an Internet-based registration process to verify the identity of individuals who use the eService Internet for requesting and exchanging business data with SSA. This process, the Integrated Registration Service (IRES), verifies, the identity of the individual, registers the individual, and results in the issuance of a credential to that individual – User ID and Password. We are adding a new user group - Individual Appointed Representatives - to the existing groups of Individual Respondents who elect to conduct business with SSA in the electronic/automated medium.

For Phase 1 - Scope of Single Sign-On for the Appointed Representative Suite of Services:

Registration – Identity-proof and register Appointed Representatives in a manner consistent with NIST Guidelines (SP 800-63). Establish Appointed Rep (AR) roles and capture additional data such as fiscal payment data and cell phone number based upon the requested role. Issue a PIN and Password. Store all rep data on a central database and provide method for reps to update registration data via the Internet.

The registration process for Appointed Representatives will be a 2-step process to achieve level 2 authentication and identity-proofing requirements. SSA will collect the current IRES information (name, SSN, DOB, and address) from the registrant to perform the SSN check (this is the same information that is contained in Section 1 of the form SSA-1699).  SSA issues a user ID and tells the registrant to select a password.  At this stage, the registrant has only a level 1 credential and must request access to the AR suite of services before IRES collects the Employer Identification Number (EIN) or generates the activation code. Once the registrant requests access to the Appointed Representative suite of services, the registrant will undergo a brief screening to determine if the work he or she performs is for a firm or is self employment. If he or she works for a firm, the registrant must provide the EIN.

The registrant is then instructed to log out and told that an activation code will be mailed to the address of record for the employer to whom the EIN belongs or the address in the Self Employment (SE) database.  If there is no EIN address on file, IRES will use the existing Employer Identification File (EIF) force process (including other documentation of the address of record). If there is no SE address, the registrant will not be able to have access to the electronic folder in Phase I. 

Assuming the employer wants the registrant to have access to the online services; IRES will instruct the employer to give the activation code to the registrant.  The registrant will log into the online services with the user ID and password, then type in the activation code. Successful transactions result in the registrant accessing the remainder of the SSA-1699 for completion.  IRES can propagate information currently on the Appointed Representative Data Base (ARDB) about the registrant to the registrant online.  At the conclusion of the session, IRES issues the registrant a Representative ID (Rep ID). 

SSA will remove the Master Earnings File (MEF) check from the Level 2 Registration process, but we will retain the MEF check as a feature for access to the Level 3 Electronic Folder along with the mailing of another activation code.

Landing Page – Provide a page with access to e-Folder and the Appointed Rep Suite of Services. We are also adding a Landing Page to the collection instrument that will provide access to the Representative Suite of Services and to the eFolder.

Authentication – Provide Second-Factor Authentication when the Appointed Rep requests access to a higher level of service. Request user’s cell phone number and send an SMS Code to that user’s cell phone via a text message. Allow user to enter a one-time password (the SMS Code) and gain access.

For Phase 1, we are adding the request for the following pieces of information to the information collection process at registration and/or authentication time:

• Cell phone number;

• SMS code; and

• Multiple EINs.

MEF Failure Screen Changes

We will be requesting these additional two pieces of information as part of the Master Earnings File (MEF) Failure forced process for verification purposes:

• Authorizing Official’s SSN (added to the MEF Failure force process) and

• Authorizing Official’s DOB (added to the MEF Failure .

Other IRES Screen Changes

For Phase 1, we are making these changes to the IRES Internet screens:

• Updated Look and Feel to the IRES Login screen;

• Updated Look and Feel to the IRES Registration screen - change the address collected label to be designated as the Home Address now (for the W2 address verification check on the back end);

• New “Validate Your Identity” screens to provide Level 2 Registration that complies with NIST guidelines

• Updated Look and Feel to the IRES Update Registration screen;

• IRES will provide access to the Appointed Rep Registration application;

• IRES Request Access to Services will allow requesting of Appointed Rep Services;

• (New Screen) IRES will collect and have a process to update the SMS cell phone number; and

• IRES Main Menu will now allow access to Appointed Rep Services by having a link to the Appointed Rep Landing Page.

For Phase 2 - Scope of Single Sign-On for the Appointed Representative Suite of Services: We have not finished developing the business process for Phase 2. If there will be different IRES screens for Phase 2, we will submit them after we receive approval for Phase 1.

2. Customer Support Application (CSA)

The SSA Intranet-based Customer Support Application (CSA) provides customer support service for Integrated Registration Services (IRES). This application supports users who fail to successfully complete the registration process online.

CSA employs a series of menu-driven screen processes to assist Office of Central Operations (OCO)/Division of Employer Services (DES)/Employer Reporting Branch (ERB) personnel in completing customer support functions. The user community contacts Employer Reporting Technicians (ERTs) via an 800 telephone number service, and utilizes the CSA application to provide customer support to the IRES user community. Since the users have already accessed but failed to successfully complete IRES registration, the ERTs work with them from the point in which the IRES registration failed. Therefore, the users have already seen the Paperwork Reduction Act and Privacy Act statements and understand what they need to do in order to register.

There are also three exception processes where the system stops a user from choosing services during the Internet Request Access to Services process and must Fax or call in additional information.  These three exceptions that push the user into what we call a “forced” or manual process are:

• User is less than Age 18;

• No Address of Record is found for the EIN; and

• Failure of the Master Earnings File check. 

The CSA process supports the same services available through the automated IRES process.

3. Explanation of Screen Packages

The IRES screen package represents the online process for SSA’s Business Services. The screens in the IRES package are all part of the IRES process dealing with registration and authentication. All users complete the BSO screens in the IRES package. The BSO portion of the package is not new. We have just updated the screens with a new “look and feel.”

Only the Appointed Representatives complete the Appointed Representative (AR) screens in the IRES package. The Appointed Representative screens are new. SSA created and designed them for a specific group of users who will be accessing the Appointed Representative Suite of Services. These users will require a higher level of identity-proofing and authentication in order to access certain services within this suite.

The screens in the CSA package deal with the back-end process for individuals who drop out of the online process.