Supporting_Statement 0632 (revised)

Supporting Statement for

Request for Internet Services – Password Authentication (RISPA)

20 CFR 401.45

OMB No. 0960-0632

A. Justification

1. Introduction/Authoring Laws and Regulations

The Social Security Administration (SSA) collects this information by authority of the Privacy Act of 1974 at 5 U.S.C. 552a(e)(10) of the United States Code, which requires agencies to establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records. 5 U.S.C. 552a(f)(2)&(3) also requires agencies to establish requirements for identifying an individual who requests a record or information pertaining to that individual and to establish procedures for disclosure of personal information. SSA codified Privacy Act rules in the Code of Federal Regulations, Subpart B. Procedures for verifying identity are at 20 CFR 401.45. Section 205(a) of the Social Security Act (the Act) authorizes SSA to collect this information.

2. Description of Collection

SSA uses a password infrastructure and process to verify the identity of individuals who choose to use the Internet to conduct personal business with SSA electronically. To obtain a password from SSA’s Individual Password Services, we ask an individual for certain information prescribed by SSA. SSA uses the information to authenticate individuals prior to issuing a temporary password. Once SSA authenticates individuals, and these individual create a permanent password, they may use SSA’s password protected services, e.g., account status, change of address, direct deposit elections, or changes. The respondents are individual electing to personal business with SSA electronically.

SSA will continue to collect and use the information to establish a Password Data File. The file will allow customers to conduct electronic business with the agency. Eventually, this Password Data file may become part of the Lightweight Directory Accessed Protocol (LDAP) Data File housed within the Access Control Utility (ACU).

We are removing the current Password Authentication (Pin and Password) option. See Addendum to the Supporting Statement for more details.

3. Use of Information Technology to Collect the Information

SSA automated this information collection. The requester keys in identifying information, transmits it over the Internet to SSA, and SSA compares the information to existing electronic records in real time. If the information keyed and transmitted matches with established SSA records, the System allows the requester to proceed to choose a password.

In accordance with the agency’s Government Paperwork Elimination Act plan, SSA created an Internet version of RISPA. Based on our data, we estimate approximately 100% of respondents under this OMB number use the electronic version.

4. Why We Cannot Use Duplicate Information

We post the information we collect through the ACU screen to SSA’s master electronic records, but we ask for it again for comparison and verification. There currently is no existing alternative way for SSA to verify identity electronically when the request is user-initiated over the Internet.

5. Minimizing Burden on Small Respondents

This collection does not significantly affect small businesses or other small entities.

6. Consequence of Not Collecting Information or Collecting it Less Frequently

If we did not obtain the information from RISPA, we would not be able to verify the requester’s identity, and would not be able to respond to these requests. In addition, since we collect this information on an as-needed basis, we cannot collect it less frequently.

There are no technical or legal obstacles to burden reduction.

7. Special Circumstances

There are no special circumstances that would cause SSA to conduct this information collection in a manner inconsistent with 5 CFR 1320.5.

8. Solicitation of Public Comment and Other Consultations with the Public

The 60-day advance Federal Register Notice published on December 15, 2011, at

76 FR 78068, and we received no public comments. The 30-day FRN published on February 29, 2012 at 77 FR 12350. If we receive any comments in response to this Notice, we will forward them to OMB.

9. Payment or Gifts to Respondents

SSA does not provide payments or gifts to the respondents.

10. Assurances of Confidentiality

The Privacy Act of 1974 protects the information collected. In addition, our Privacy Policy protects information collected by SSA for Internet Services that ensures the confidentiality of all information provided by the requester. Our Internet privacy policy is:

• You do not need to give us personal information to visit our site.

• We collect personally identifiable information (name, SSN, DOB or email) only if specifically and knowingly provided by you.

• We only use personally identifying information you provide in conjunction with services you request as described at the point of collection.

• We sometimes perform statistical analyses of user behavior in order to measure customer interest in the various areas of our site. We will disclose this information to third parties only in aggregate form.

• We do not give, sell, or transfer any personal information to a third party.

• We do not enable “cookies.” (A “cookie” is a file placed on your hard drive by a Web site that allows it to monitor your use of the site, usually without your knowledge.)

Additionally, SSA will ensure the confidentiality of the requester’s personal information in several ways:

• We encrypt all electronic requests using the Secure Socket Layer (SSL) security protocol. SSL encryption prevents a third party from reading the transmitted data even if they intercept it. This protocol is an industry standard and is used by banks such as Wells Fargo and Bank of America for Internet banking.

• We give the requester adequate warnings that the Internet is an open system and there is no absolute guarantee that others will not intercept and decrypt the personal information they have entered. We advise the requester of alternative methods of requesting personal information, i.e., a personal visit to a field office or a call to the 800 number.

Only upon verification of identity will we allow the requester access to additional screens that allow requests for and changes to personal information from SSA records.

11. Justification for Sensitive Questions

The information collection does not contain any questions of a sensitive nature.

12. Estimates of Public Reporting Burden

Collection Instrument	Number of Respondents	Frequency of Response	Average Burden Per Response (minutes)	Estimated Total Annual Burden (hours)
Internet Requestors	3,092,069	1	10	515,345

The total burden for this ICR is 515,345 hours. This figure represents burden hours, and we did not calculate a separate cost burden.

13. Annual Cost to the Respondents (Other)

This collection does not impose a known cost burden on the respondents.

14. Annual Cost To Federal Government

The annual cost to the Federal Government is approximately $30,000. This estimate is a projection of the cost maintaining the Internet application.

15. Program Changes or Adjustments to the Information Collection Request

We expect a decrease in the burden associated with this collection due to the removal of the automated telephone service piece. While a small portion of respondents may choose to move to the Internet to do business when the telephone services become unavailable, we still expect to see a decrease in total burden hours. Establishing a password is strictly an option that is available to title II and concurrent title II/title XVI recipients/applicants.

16. Plans for Publication Information Collection Results

SSA will not publish the results of the information collection.

17. Displaying the OMB Approval Expiration Date

SSA is not requesting an exception to the requirement to display the OMB approval expiration date .

18. Exceptions to Certification Statement

SSA is not requesting an exception to the certification requirements at 5 CFR 1320.9 and related provisions at 5 CFR 1320.8(b)(3).

B. Collection of Information Employing Statistical Methods

SSA does not use statistical methods for this information collection.