Justification for Non-Substantive Changes for
Request for Internet Services – Password Authentication (RISPA)
20 CFR 401.45
OMB No. 0960-0632
Justification for Non-Substantive Changes
Background
Release 2 of the Social Security Administration’s (SSA) new authentication strategy, the Public Credentialing and Authentication Process, (OMB Number 0960-0789), scheduled for the end of the calendar year, 2012, calls for the decommissioning of the information collection, Request for Internet Services – Password Authentication (RISPA), (OMB No. 0960-0632). SSA is submitting this non-substantive change to request OMB approval of our strategy for transitioning our existing beneficiary PIN/Password (PPW) holders into our new Public Credentialing and Authentication Process (OMB Clearance Number 0960-0789) and shutting down the associated legacy Password Services for beneficiaries. We define beneficiaries as individuals who are currently receiving Social Security benefits.
Initially we were planning to have existing beneficiary PPW holders go through an abbreviated registration process in order to obtain a credential in our new Public Credentialing and Authentication Process. However, to remain in compliance with NIST Special Publication 800-63-1, Electronic authentication Guidelines, and to avoid the expense of maintaining two very similar authentication processes, we will now require beneficiaries with passwords to complete the full new registration process, including identity verification, to obtain a new credential. We will deactivate existing legacy beneficiary passwords, and will terminate our legacy Client Password Services and legacy Password Authentication.
PPW Transition Plan
Concurrent with Release 2 of SSA’s new authentication strategy, the Public Credentialing and Authentication Process, (OMB Number 0960-0789), we will deploy new versions of four beneficiary applications as part of MySocialSecurity. The four applications are:
Benefit Verification (BEVE);
Change of Address (COA);
Direct Deposit (DD); and
Check Your Benefits (CYB).
These applications will require electronic access credentials to authenticate. Customers will access the new applications from the MySocialSecurity portal and these applications will replace existing legacy Internet and automated telephone applications that use beneficiary PPW authentication. The new applications will also replace the existing legacy versions of the corresponding beneficiary Internet applications that use Knowledge-Based Authentication (KBA). With the deployment of Release 2 in December of 2012, PPW users will no longer access applications using their credentials; instead, they will need to register for new accounts through the remote and in-person electronic access processes.
In December of 2012, the Office of Telephone Services (OTS) also plans to discontinue PPW access to its automated telephone services. At that time, existing KBA telephone systems for COA and DD will continue to operate as they are, while we cease access to the PPW telephone systems. OMB approved the discontinuation of PPW on April 26, 2012.
The PPW Transition Plan will involve changes to systems, notices, screen language, and internal documentation across several components. The purpose of the plan is to provide a high-level overview of these adjustments as part of the Release 2 strategy.
PPW Transition Plan Milestones
The transition plan will begin in the late summer of 2012, and conclude with the deployment of release 2 in December of 2012.
Beginning at the end of September 2012, SSA will cease sending Password Request Codes (PRCs) automatically in the mail (for instance, when an individual files for benefits online). In addition, we will discontinue the option to mail a PRC using our Modernized Claims System (MCS).
In mid-November 2012, or about 30 days before Release 2 deployment, we will no longer send any PRC notices. Our beneficiaries will no longer have the capability to request new PRCs.
In early December 2012, OTS will discontinue PPW access to its automated telephone services. Existing KBA telephone systems for COA and DD will continue to operate.
In mid-December 2012, with the deployment of Release 2, we will decommission the beneficiary PPW Internet versions of the Change of Address, Direct Deposit, and Check Your Benefits applications, along with the KBA Internet versions of the Benefit Verification and Change of Address KBA applications.Breakdown of Milestones
September 2012 – 3 months prior to Release 2 deployments
If the beneficiary files for benefits online, or if the beneficiary answers, “yes” to the question, “If awarded, do you want a password to use the Internet/Phone Service?” When the SSA representative is taking the beneficiary’s claim, the system automatically mails a PRC to the beneficiary’s address when SSA awards the claim.
In preparation for the new electronic access release, SSA will cease proactively sending PRCs, and will terminate the automatic mailing functionality when an individual files online or via MCS. The option to send a PRC will no longer be available in MCS, and we will not send a PRC to the claimant’s address when awarding a claim.
November 2012 – 1 month prior to Release 2 deployments
We will no longer allow beneficiaries to request new PRC codes beginning about 30 days before the Release 2 deployment. This will prevent beneficiaries from receiving an unusable code, or from establishing a credential that will expire within days or weeks of its creation.
As part of this transition, we will not allow beneficiaries to request a new PRC on the Internet and automated telephone service, either to establish a new credential or to reset the password on an existing credential. SSA employees will not use the system to issue new PRCs.
We will disable the PRC functionality through a “soft block”, for example, by redirecting links to the Internet “Get a Password Request Code” page to explanatory pages and through administrative messages directing SSA staff not to use password reset functionality in the system.
We will disable the PRC functionality in the automated telephone system and notify beneficiaries through automated telephone messages that the password maintenance services are no longer available and that new credentialing services are coming soon.
Early December 2012 – Two weeks prior to Release 2 deployments
Approximately two weeks prior to Release 2 deployment, we will discontinue PPW access to our automated telephone services. At that time, existing KBA telephone systems for COA and DD will continue to operate as they are, until they are migrated to the new platform, CARE 2020. The PPW telephone applications will cease to be available. We will notify beneficiaries through automated telephone messages that the password services and password-accessed applications are no longer available.
In 2013, OTS will transition all remaining automated telephone systems to the CARE 2020 platform. This transition will not include any already terminated telephone password services.
Mid-December 2012 - Release 2 deployments
PPW transitioning will end with the electronic access Release 2 deployment. With this deployment:
We will decommission PPW Internet applications DD, COA, and CYB.
We will decommission KBA-accessed BEVE and COA Internet applications.
We will decommission the Customer eAuthentication Record (CER screen). We will transfer the administrative functionality to impose or remove an electronic services block to the Registration and Customer Support (RCS) Intranet application. (Internet and telephone applications to block electronic access will maintain current functionality.)
We will decommission the remaining Internet beneficiary Password Services. This includes “Choose your password” and “Change your password.”
We will make the MySocialSecurity beneficiary portal replacing PPW DD, COA, and CYB and the KBA-accessed BEVE applications available for beneficiary use.
We will redirect users of the public websites to the new MySocialSecurity registration process with new screen language.
With these actions, the transitioning plan will be complete.
Estimates of Public Reporting Burden
The Public Credentialing and Authentication Process, (OMB Number 0960-0789) will absorb the existing public reporting burden for RISPA (OMB No. 0960-0632), when we decommission this information collection.
During the first half of the transition, we estimate a decrease in burden hours for RISPA.
Collection Instrument |
Number of Respondents |
Frequency of Response |
Average Burden Per Response (minutes) |
Estimated Total Annual Burden (hours) |
Internet Requestors |
1,546,035 |
1 |
10 |
257,673 |
| File Type | application/msword |
| File Title | ADDENDUM TO SUPPORTING STATEMENT |
| Author | Naomi |
| Last Modified By | 889123 |
| File Modified | 2012-09-14 |
| File Created | 2012-09-10 |