The Supporting Statement for OMB 0596-0204
Financial Information Security Request Form
2011
Justification
Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.
Regulations:
USDA DR-3140 (ADP Security Policy)
USDA DM-3140 (ADP Security Manual)
Public Law 107-347 – Federal Information Security Reform Act of 2002
Public Law 104-106 – Information Technology Management Reform Act of 1996
Title VI: NFC Security Access Procedures, Chapter 1 – Agency Liaison and Security Access, Section I: Security Access (unavailable electronically from NFC due to security constraints). The Guidelines Security Officers follow are defined in the NFC Client Security Officer Training Manual that is a part of the NFC Security Access Procedures noted above.
The majority of the Forest Service’s financial records are in databases stored at the National Finance Center (NFC). These records are maintained by both Forest Service employees and contractors who must receive access to NFC to perform essential duties. USDA DR-3140 and USDA DM-3140 require managers of computer processing operations to provide controlled access to facilities and computer resources. USDA agencies must designate unit ADP Security Officers (Client Security Officer) to manage access to computers and to coordinate requests for National Finance Center (NFC) access. NFC grants access to users only at the request of Client Security Officers. Currently, there are two Client Security Officers at the Forest Service’s Albuquerque Service Center. Field units presently do not perform these duties.
To gain access to NFC, the Forest Service uses an electronic FS-6500-214 form called the Financial Information Security Request. Prior to filling out the form, contractors must first complete specific training before a user may request access to certain financial systems. Once the trainings are successfully passed, contractor’s complete and submits the form request to NFC. Client Security Officer receives the request and permits access when appropriate.
In previous submissions, OMB was concerned about comments received from respondents regarding the clarity and burden of the information. The Forest Service responded by adding a statement to the form explaining why specific training is necessary before a user may request access to certain financial systems. Required fields are flagged for the user, and must be filled out before user can move to the next screen. After the form is complete, the closeout process includes a notice to fax the form (along with the appropriate fax number). An automatic process includes a response to the user, acknowledging receipt of the fax.
Also, all users (Federal employees and contractors) are required to respond to the two questions about IT Security and Privacy Act Basics training. Responses may be validated by reviewing a report of a user’s training history via the USDA training site (Aglearn) or certification by a user’s supervisor. Additional guidelines are posted on the Forest Service Finance Center’s internal website. The training courses and their burden have been added to the total burden estimate. In addition, briefings have been held with Finance Center employees to answer any security related questions.
Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
What information will be collected - reported or recorded? (If there are pieces of information that are especially burdensome in the collection, a specific explanation should be provided.)
The contractor and the Forest Service Lotus Notes Database provide the information necessary to complete form, FS-6500-214. The contractor verifies completion of two courses within the last year: Privacy Act Basics and IT (Information Technology) Security. The contractor then enters the Lotus Notes short name assigned by the Forest Service. Using the Lotus Notes short name, the screen is populated with information that the contractor can change if incorrect: Name, work email, work telephone number, and job title.
The contractor checks the box for a nonfederal employee and provides the expiration date of the contract. The contractor then selects the databases and actions needed. Based on the database(s) selected, the contractor provides additional information regarding the financial systems, work location, access scope, etc. Once the form is submitted to the Client Security Officer, a one-page agreement automatically prints, which the contractor and Client Security Officer sign. The agreement is a certification statement that acknowledges the contractor’s recognition of the sensitive nature of the information and agrees to use the information only for authorized purposes.
Maintenance of records is according to filing schedule 6610-2 (Systems Management and Administration), retention period ends 3 years after termination of access.
From whom will the information be collected? If there are different respondent categories (e.g., loan applicant versus a bank versus an appraiser), each should be described along with the type of collection activity that applies.
Contractors are hired by the Forest Service to maintain financial records stored at NFC. Contracted employees usually work for a company who has a contract with the Forest Service. The contracted employees work various schedules, some work full time and some on a seasonal basis.
What will this information be used for - provide ALL uses?
The information will be used to determine what level of access to NFC financial systems is to be granted to contractors hired by the Forest Service.
How will the information be collected (e.g., forms, non-forms, electronically, face-to-face, over the phone, over the Internet)? Does the respondent have multiple options for providing the information? If so, what are they?
Electronic form FS-6500-214 is used to gather the information.
How frequently will the information be collected?
Collection occurs approximately three times a year per contractor – when a contractor is hired, to make modifications to a contractor’s access, and termination of access.
Will the information be shared with any other organizations inside or outside USDA or the government?
Only with those managing or overseeing the financial systems used by the Forest Service, this includes auditors.
If this is an ongoing collection, how have the collection requirements changed over time?
This is an ongoing collection and the collection requirements have not changed over time.
Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also, describe any consideration of using information technology to reduce burden.
Except for a short acknowledgement form printed at the end of the application process, the information collection occurs within the electronic environment using form FS-6500-214. The form consists of a series of data entry screens. Some data items self-populate the screen after entry of the contractor’s Lotus Notes short name. The form is submitted electronically to the Client Security Officer for approval. The form’s data fields are validated using data stored electronically at NFC. It takes approximately 10 minutes for a contractor to complete and submit the access request. Use of an electronic form will eliminate redundant requests.
Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.
The information collected is unique to the Forest Service. Collection of the information occurs as needed for the specific purpose of requesting and acquiring access to NFC data. This information collection is necessary to meet information security and financial management requirements.
If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
The information has no impact on small businesses or other small entities, other than those contracting with the Forest Service to provide assistance in maintaining financial records. The impact is the minimal necessary to meet regulations and does not place an undo burden on contractors.
Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.
Without collection of this information, contractors would not be able to request access to the records necessary to accomplish duties. Using Forest Service employees to process the requests would complicate the request process and result in duplication of effort at many levels of the organization, as well as the need to establish additional procedures for the processing of this information. Self-service application/collection programs such as this stream line operations and enable federal employees to focus on tasks that are more important.
Explain any special circumstances that would cause an information collection to be conducted in a manner:
Requiring respondents to report information to the agency more often than quarterly;
Contractors switching jobs, acquiring additional duties, and filling in for co-workers would necessitate requesting modifications to NFC access and documentation for security audits.
Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;
Requiring respondents to submit more than an original and two copies of any document;
Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;
In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;
Requiring the use of a statistical data classification that has not been reviewed and approved by OMB;
That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
There are no other special circumstances. The collection of information is conducted in a manner consistent with the guidelines in 5 CFR 1320.6.
If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8 (d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.
A Federal Register notice advertising the 60-day comment period was published on May 24, 2010 (Vol. 75, No. 99, Page 28777). No comments were received in response to this notice.
Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and record keeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.
Contractor’s consulted concerning this collection of information:
Paige L Durant, RWC Contractor
Raymond (Ray) D Shasteen, RWC Contractor
Eric Hausenfleck, Deloitte Contractor
Overview of Comments: Overall the comments received stated that the collection of information was relatively easy to complete and the screens navigation was simple and flowed nicely. Some comments received were outside the scope of this collection and focused on factuality of the overall electronic business system that this collection is a part of. The comments will be reviewed and addressed in the upgrade of the system.
The training required to complete this form was not mentioned. Agency believes that these trainings are necessary to ensure that all contractors and employees understand the standards and needs to safely secure sensitive information. The Agency will continue to require all contractors to pass the trainings.
Explain any decision to provide any payment or gift to respondents, other than re-enumeration of contractors or grantees.
Respondents will not receive payments or gifts for responses, other than that given to contractors.
Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.
The contractors are responding as part of contracted responsibilities. There is no assurance of confidentiality.
Provide additional justification for any questions of a sensitive nature, such as sexual behavior or attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.
There are no questions of a sensitive nature associated with this information collection.
Provide estimates of the hour burden of the collection of information. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated.
• Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. If this request for approval covers more than one form, provide separate hour burden estimates for each form.
a) Description of the collection activity
b) Corresponding form number (if applicable)
c) Number of respondents
d) Number of responses annually per respondent,
e) Total annual responses (columns c x d)
f) Estimated hours per response
g) Total annual burden hours (columns e x f)
(a) Description of the Collection Activity |
(b) Form Number |
(c) Number of Respondents |
(d) Number of responses annually per Respondent |
(e) Total annual responses (c x d) |
(f) Estimate of Burden Hours per response |
(g) Total Annual Burden Hours (e x f) |
IT Security Training |
n/a |
50 |
1 |
50 |
30 minutes |
25 |
Privacy Act Basics Training |
n/a |
50 |
1 |
50 |
30 minutes |
25 |
Completion of access request |
FS-6500-214 |
50 |
3 |
150 |
10 minutes |
25 |
Totals |
--- |
50 |
--- |
250 |
--- |
75 |
• Record keeping burden should be addressed separately and should include columns for:
a) Description of record keeping activity: None
b) Number of record keepers: None
c) Annual hours per record keeper: None
d) Total annual record keeping hours (columns b x c): Zero
• Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories.
Respondents are contractors who are providing information as part of contracted duties. Therefore, there are no annualized costs to respondents.
Provide estimates of the total annual cost burden to respondents or record keepers resulting from the collection of information, (do not include the cost of any hour burden shown in items 12 and 14). The cost estimates should be split into two components: (a) a total capital and start-up cost component annualized over its expected useful life; and (b) a total operation and maintenance and purchase of services component.
There are no capital operation and maintenance costs.
Provide estimates of annualized cost to the Federal government. Provide a description of the method used to estimate cost and any other expense that would not have been incurred without this collection of information.
The response to this question covers the actual costs the agency will incur as a result of implementing the information collection. The estimate should cover the entire life cycle of the collection and include costs, if applicable, for:
Employee labor and materials for developing, printing, storing forms
Employee labor and materials for developing computer systems, screens, or reports to support the collection
Employee travel costs
Cost of contractor services or other reimbursements to individuals or organizations assisting in the collection of information
Employee labor and materials for collecting the information
Employee labor and materials for analyzing, evaluating, summarizing, and/or reporting on the collected information
Activity
|
||||||||||
|
Explain the reasons for any program changes or adjustments reported in items 13 or 14 of OMB form 83-I.
The Agency is requesting approval for 75 annual burden hours, based on 250 annual responses. This is an increase of 50 burden hours from the previous approval period. The difference is the result of including the training time required by contractors prior to signing the Security Form Request.
For collections of information whose results are planned to be published, outline plans for tabulation and publication.
There are no plans to publish the results of this information collection.
If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
The Forest Service would like to omit the expiration date of the OMB approval, as the electronic form and data collection process are the same for contractors and Forest Service employees. Including the expiration date would cause confusion.
Explain each exception to the certification statement identified in item 19, "Certification Requirement for Paperwork Reduction Act."
No exceptions to the Certification Requirement for the Paperwork Reduction Act are identified.
B. Collections of Information Employing Statistical Methods
This collection does not employ statistical methods, therefore part B has been omitted from this response.
Page
File Type | application/msword |
File Title | DRAFT |
Author | PCxx |
Last Modified By | cmwoolley |
File Modified | 2010-11-23 |
File Created | 2010-11-23 |