IdMAX Supt Stmt July 2014.Final.

IdMAX Supt Stmt July 2014.Final..docx

Personal Identity Validation for Routine and Intermittent Access to NASA Facilities, Sites, and Information Systems

OMB: 2700-0158

Document [docx]
Download: docx | pdf

Supporting Statement

OMB Control Number 2700-XXXX

Personal Identity Verification for Routine and Intermittent Access to NASA Facilities, Sites, and Information Systems


Type of Information Collection: Active Information CollectionWithout OMB Approval


A. JUSTIFICATION


1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.


Homeland Security Presidential Directive (HSPD)-12 establishes the requirement for a mandatory Government-wide standard for secure and reliable forms of identification for Federal employees and contractors. As directed by HSPD-12, the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201: Personal Identity Verification of Federal Employees and Contractors and associated NIST publications establish standards and requirements for the identity verification of federal employees and contractors and for Personal Identity Verification (PIV) identity credentials to be issued. OMB policy memorandum M-05-24: Implementation of Homeland Security Presidential Directive 12 requires federal agencies to deploy products and operational systems to issue identity credentials meeting the FIPS 201.


In response to this Directive, as well as NIST and OMB guidance, NASA developed the Identity Management and Account Exchange System (IdMAX). This system manages identities, credentials, and access in an integrated, enterprise environment, to ensure that people have the access they need to further the mission of NASA, without putting NASA assets at risk.


Identity Management deals with three major facets of a person:

  • basic details about the person’s identity, such as name and date of birth

  • the affiliation that the person has with NASA, such as civil servant or contractor

  • the knowledge we have about the person based on investigations and records checks


Credential Management deals with the management of items that allow physical access, like doorkeys and badges, as well as items that allow access to IT systems, like userIDs/passwords and tokens.


Credential Management seeks to ensure that credentials are:

  • issued to the proper person

  • not tampered with or used by someone they do not belong to

  • properly revoked and disposed of when no longer valid


Access Management seeks to ensure that:

  • People are properly authorized to access particular NASA assets

  • Changes to a person’s affiliation, or the knowledge we have about that person, result in a re-assessment of appropriate access

  • Access is removed when a person leaves NASA



NOTE: NASA is one of the 24 federal agencies that us not using General Services Administration’s HSDP-12 compliant system. NASA determined it was more cost effective to meet HSPD-12 requirements through an independent approach (see response #4.)


2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.


NASA Office of Chief Information Officer and the NASA Office of Protective Services manages the collection of information from members of the public requiring access to NASA facilities and/or IT resources to include NASA contractors and grantees requiring access for 30 or more days. Information is also collected from foreign nationals seeking access to NASA facilities and/or IT resources regardless of their affiliation time.


The information collected is used for background investigation processes, establishing levels of confidence and user risk, and controlling access to NASA/federally owned/leased facilities and IT resources.


Information is collected either in person or remotely utilizing a secure information collection website. The data is utilized to create an “identity” in the IdMAX system and is affiliated with a NASA agreement (contract, grant, MOU, etc.). The identity is then approved by a NASA Affiliation Sponsor and forwarded to the applicable NASA Center Security Office for processing.


Security Office Enrollment Officials at NASA Centers collect information and documents to include demographic data, biometrics during enrollment, a photograph/digital image, and valid identity documents per NIST/FIPS requirements.


When required, NASA summarizes/submits the results of credentials issued, as reflected in the following link: http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/hspd-12_reporting_workbook_q2fy2013_status_report.pdf




3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


Impacted members of the public can submit information via NASA’s secure information collection website (all information collected except the documents that must be presented face-to-face in accordance with FIP 201, NIST, etc.)


Information collected is stored, secured, and maintained electronically. Hard copies of select information, required for identity vetting, presented by the member of the public is scanned by the NASA enrollment official to include birth certificate, current driver's license or other state photo identity cards issued by Department of Motor Vehicles (or equivalent), U.S. passport, a foreign government-issued passport, Native American Tribal Photo ID.



4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item

2 above.


The Identity Management and Account Exchange (IdMAX) System is the only NASA system used for managing Identity, Credential, and Access information for NASA civil servants, contractors, and affiliates. IdMAX provides access management (the authorization piece) to over 2,300 NASA applications, provides central authentication (mechanism for the person to log into the app) to over 300 NASA applications, and is the authoritative source of information for nearly all applications that utilize identity data (emergency notification, training, active directory, electronic health records, human resources, etc.). By centralizing all information collected and managing that information within IdMAX, NASA has substantially reduced the number of locations and NASA systems in which personal information for members of the public is stored.


The IdMAX credential management and universal registration client also performs all of the FIPS 201 required functions for a PIV Credential Issuance Facility. This saves NASA approximately $234 per PIV credential issued over a 5-year period, compared to the GSA shared services cost for PIV issuance. NASA realized a cost savings of approximately $16,000,000 per five year lifecycle when NASA began issuing PIV credentials (68,000 issued) compared to the cost of using the GSA shared services.


NASA utilizes OPMs Personnel Investigations Processing Systems and Central Verification System (e- QIP) to prevent duplication of investigation and vetting by providing reciprocity to members of the public who have a current investigation already completed by another agency or affiliate.



5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize burden.



Federal Information Processing Standards 201 has no exemptions or reduction of impact for small entities, therefore Small businesses and other small entities must adhere to HSPD-12 requirements to access federally owned/leased space and IT resources. However, NASA encourages small business to use the Remote Identity Invitation. Doing so reduces the burden associated with small businesses hiring an individual to gather all the information and submit. Small business representatives have expressed their satisfaction with the remote identity process.



6. Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles

to reducing burden.


NASA is required to adhere to HSPD 12, as well as NIST, FIPS and OMB requirements. The inability to collect and process this information would prevent members of the public from accessing federally owned/leased space used by NASA.



7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

* requiring respondents to report information to the agency more often than quarterly;

* requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;

* requiring respondents to submit more than an original and two copies of any document;

* requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records, for more than three years;

* in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;

* requiring the use of a statistical data classification that has not been reviewed and approved by OMB;

* that includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or

* requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.


NASA does not have any special circumstances that would cause an information collection to be conducted in any manners noted above. With regards to user privacy information, NASA protects the information’s confidentiality to the extent required by law. Also, see the NASA SORN at http://www.nasa.gov/privacy/nasa_sorn_10SECR.html


8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments.

Specifically address comments received on cost and hour burden. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data,

frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported. Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years - even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.


60-Day FRN: Vol.78, No. 155, August 12, 2013. No comments received from the public.
30-Day FRN: Vol. 79, No. 127, July 2, 2014. No comments received from the public.


See the NASA SORN at http://www.nasa.gov/privacy/nasa_sorn_10SECR.html


9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


NASA does not provide any payment or gift to respondents for information collected to comply with Homeland Security Presidential Directive (HSPD)-12 requirements.


10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.


NASA’s IdMAX system meets the privacy requirements listed in Federal Information Processing Standards Publication 201-1. This includes the assignment of a senior agency official for privacy in accordance with NASA NPD 1382.17H, the completion of a comprehensive Privacy Impact Assessment, and a published document containing a listing of all information types collected. The Privacy Impact Assessment is reviewed periodically as a part of the risk management framework process for IdMAX.


NASA incorporates a privacy policy statement link on every page where members of the public are required to enter information in IdMAX. A copy of the privacy statement is also provided to members of the public when enrolling in-person for a credential.



11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.


NASA does not collect information or ask questions of a sensitive nature associated with IdMAX and the use of IdMAX to meet HSPD-12 requirements. NASA does not collect race and ethnicity information for identity vetting.


12. Provide estimates of the hour burden of the collection of information. The statement should:

* Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or

complexity, show the range of estimated hour burden, and explain the reasons for the variance.

Generally, estimates should not include burden hours for customary and usual business practices.

* If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

* Provide estimates of annualized cost to respondents for the hour burdens for collections of

information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 13.


The collection of information takes an average of 10 minutes per respondent depending on the user’s requirements (i.e., new enrollment vs. update, etc.).


Annually, we have approximately 25,000 routine users and about 27,000 intermittent users that access, and input identity data into the Identity Management System:


25,000 routine users @ around 10 minutes each = 250,000 minutes

250,000/60 = 4,166 hours annually

27,000 intermittent users @ about 10 minutes each = 270,000 minutes

270,000/60 = 4,500 hours annually

Annual routine user cost: 4,167 hours x approximately $50/hr. = $208,350 annual cost

Annual intermittent user cost: 4,500 hours x approximately $50/hr. = $225,000 annual cost


Respondent

Number of Responses


Participation Time (minutes)


Burden Hour

Individual/US Citizens (routine)

25,000

10

4,166

Individual/Foreign National (intermittent)

27,000

10

4,500


52,000


8,666



13. Provide an estimate for the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).


The cost estimate should be split into two components: (a) a total capital and start-up cost

component (annualized over its expected useful life) and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities.


If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collections services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.


Generally, estimates should not include purchases of equipment or services, or portions

thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.


Annual cost to NASA (as the record keeper) is provided as follows:

The equipment (servers, software, infrastructure) cost for the IdMAX was approximately $2 million, with a life expectancy of 8 years.


$2 million/8 years = $250,000 per year.


Support costs for NASA IdMAX system require approximately 5 people (5 FTEs) at an estimated cost of $100,000 each = $500,000 annually


14. Provide estimates of annualized costs to the Federal government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies may also aggregate cost estimates from Items 12, 13, and 14 in a single table.


Other expenses would include the cost of computer support equipment and supplies estimated at approximately $1,200 annually per FTE -- $1,200 x 5 FTEs = $6,000 annually.


Table 1: Compilation of Costs (Questions 12, 13, and 14)

Cost Category

Hour Burden

Annual Costs




Respondent (routine)

4,166

$ 208,350

Respondent (intermittent)


4,500


$ 225,000

Equipment


$ 250,000

Support (salary)


$ 500,000

Support (equipment)


$ 6,000

Total Annual Costs


$1,189,350


15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.


This is the initial report for NASA’s Identity Management and Account Exchange (IdMAX) system. Therefore, no program changes or adjustments are involved.


16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.


NASA does not tabulate and publish personal information collected from members of the public associated covered by the PRA.


When required, NASA summarizes information such as the information identified in the link below:

http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/hspd-12_reporting_workbook_q2fy2013_status_report.pdf





17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.


NASA will display the expiration date for OMB approval of the information collection within the PRA Statement. A sample screen shot is provided below:



18. Explain each exception to the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB Form 83-I.


NASA does not take exception to the certification statements below:


The proposed collection of information –

(a) is necessary for the proper performance of the functions of NASA, including that the information to be collected will have practical utility;

(b) is not unnecessarily duplicative of information that is reasonably accessible to the agency;

(c) reduces to the extent practicable and appropriate the burden on persons who shall provide information to or for the agency, including with respect to small entities, as defined in the Regulatory Flexibility Act (5 U.S.C. 601(6)), the use of such techniques as:

(1) establishing differing compliance or reporting requirements or timelines that take into account the resources available to those who are to respond;

(2) the clarification, consolidation, or simplification of compliance and reporting requirements; or

(3) an exemption from coverage of the collection of information, or any part thereof;

(d) is written using plain, coherent, and unambiguous terminology and is understandable to those who are targeted to respond;

(e) indicates for each recordkeeping requirement the length of time persons are required to maintain the records specified;

(f) has been developed by an office that has planned and allocated resources for the efficient and effective management and use of the information to be collected, including the processing of the information in a manner which shall enhance, where appropriate, the utility of the information to agencies and the public;

(g) when applicable, uses effective and efficient statistical survey methodology appropriate to the purpose for which the information is to be collected; and

(h) to the maximum extent practicable, uses appropriate information technology to reduce burden and improve data quality, agency efficiency and responsiveness to the public; and

(i) will display the required PRA statement with the active OMB control number, as validated on www.reginfo.gov



B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS


Not applicable.

Page 10 of 10

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleDuring FY07, FY08, and FY09 the NASA-sponsored Classroom of the Future (COTF) will study how much people learn (assessment of le
AuthorDebbie Denise Reese, Ph.D.
File Modified0000-00-00
File Created2021-01-27

© 2024 OMB.report | Privacy Policy