SSN Justification

MEMORANDUM FOR THE RECORD
SUBJECT: Justification for the Use of the Social Security Number in the Assistance Reporting
Tool (ART); Department of Defense Information Technology Portfolio Repository
Number 13918
The purpose of this memorandum is to satisfy the requirements established in DoDI
1000.30, Reduction of Social Security Number (SSN) Use Within DoD, effective August 1,
2012, with respect to the Assistance Reporting Tool (ART). The Department of Defense (DoD)
Information Technology Portfolio Repository identification number assigned to ART is 13918.
This memorandum provides justification for the continued collection and use of SSNs by ART.
The System of Records Notice applicable to ART is DTMA 04: Medical/Dental Claim History
Files, March 29,2006, 71 FR 15702 (Attachment 1). The Privacy Impact Assessment for ART
became effective December 21, 20 I 0 (Attachment 2).
ART is a secure web-based system that captures feedback on and authorizations related
to TRICARE benefits. ART received an Authority to Operate in compliance with the
Department of Defense Information Assurance Certification and Accreditation Process on June
2,2012. The system undergoes an annual risk assessment to ensure protective controls are
maintained during the lifecycle of the system. ART maintains a Privacy Impact Assessment on
file with the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office. Users
are comprised of customer service personnel, to include Beneficiary Counseling and Assistance
Coordinators, Debt Collection Assistance Officers, personnel, family support, recruiting
command, case managers, and others who serve in a customer service support role. The ART is
also the primary means by which Military Medical Support Office (MMSO) staff capture
medical authorization determinations and claims assistance information for remotely located
service members, line of duty care, and care under the Transitional Care for Service-related
Conditions benefit. ART allows users to track workload and resolution ofTRICARE-related
issues.
ART is subject to the Paperwork Reduction Act (PRA) and is currently in the process of
completing the required documentation for Office of Management and Budget approval
(Attachment 3).
In accordance with DoDI 1000.30, continued use of SSNs within ART must be justified
by one or more of the Acceptable Use Cases set forth in DoDI 1000.30, Enclosure 2. The
Acceptable Use Cases applicable to ART are:
Computer Matching. ART users rely on other government systems and forms that
require the use of the SSN as a unique and primary identifier. These systems and forms include:
•
•
•
•
•

Defense Enrollment Eligibility Reporting System (DEERS)
General Inquiry ofDEERS (GIQD)
Marine Corps Medical Entitlements Data System (MCMEDS)
Army Line Of Duty (LOD) Module
Managed Care Support Contractors' Claims Systems
1

• 	 Air Force AF348
• 	 Army DA2173
Users gather information from the above forms and query the systems identified to verify
eligibility DoD benefits, process medical authorizations, issue line of duty determinations, and
answer TRICARE-related benefit questions. To accomplish this, users rely on SSNs as unique
identifiers per the Code of Federal Regulations (CFR), Title 32, Volume 2, Section 220.9(d). 32
CFR § 220.9(d) states:
(d) Mandatory disclosure of Social Security account numbers. Pursuant to 10 U.S.C.
1095(k)(2), every covered beneficiary eligible for care in facilities of the Uniformed Services
is, as a condition of eligibility, required to disclose to authorized personnel his or her Social
Security account number.
In 2011, the DoD eliminated the SSN from the United States Uniformed Services
Identification and Privilege Cards and replaced the SSN with a DoD ID Number and a DoD
Benefits Number. Individuals were not required to immediately replace their ID cards with new
cards; instead they were encouraged to replace their cards upon expiration. It will be an
undetermined period of time before the SSN is eliminated from all ID cards because:
• 	 Uniformed service retirees are not required to replace their ID cards until age 65; and
• 	 Beneficiaries age 75 or older who received permanent ID cards before 2011 will never
need to renew their ID cards.
ART users may enter an SSN or a DoD Benefits Number. But until the systems and forms
previously identified mandate the use of new identifiers (Le. DoD Benefits Number), ART users
will continue to use SSNs as it is the established method of identifying unique individuals.
The following provides a list of the physical, technical, and administrative controls currently
in place in ART to reduce exposure of the SSN:
1) 	 Physical Controls
a) 	 ART data is stored on a single server in a designated room at a single location. Access to
the room is limited to government and government-contracted personnel at the facility
with both proper keycard to access the building and the appropriate passcode to unlock
the cypher lock to the room.
b) 	 ART back-up data is secured in a fire-rated safe on zip drives at a third-party location.
Access to the room is limited to government and government-contracted personnel at the
facility with the proper cypher code to get into the room and the correct combination to
the safe.
c) 	 End-user access to ARTis limited to personnel granted an ART account by the
Beneficiary Education & Support (BE&S) Division of TMA. Users access ART via
computers at their duty location or on government-issued laptops. To access the system,
users first authenticate to the HAITMA network through the use of a valid Common
Access Card (CAC) ID. Non-CAC ID users must first authenticate by logging in to the

HAJTMA Extranet. Once logged in to the HAJTMA Extranet, users may access ART
with their ART username and password.
2) Technical Controls
a) Access to ART is restricted to authorized users. Users with a CAC must use their CAC
to access the system. Users without a CAC must use a username and password.
b) Users who make three failed attempts to access ART are locked out. Accounts may only
be unlocked by ART administrative staff. The Intrusion Detection System assures access
to only authorized users.
c) ART data exists behind a firewall; assuring communicating networks are secure and
trusted.
d) ART data is provided a high level of security and data integrity through encryption via
the Oracle Ilg Triple Data Encryption Standard (3DES) when data is transmitted to and
from the Web server.
e) Backup tapes are 3DES encrypted (for fields containing Personal Identifiable
Information) as well as Advanced Encrypted Standard-256 bit (AES-256) encrypted.
3) Administrative Controls
a) Only authorized users are permitted to access ART. Requests for access are made in
writing to TMA BE&S Division. Verification is made that the individual assists
beneficiaries with aspects of the TruCARE benefit.
b) Any ART account not accessed in a 35-day period will default to an "Inactive" status.
ART administrative staff closes these accounts on a quarterly basis.
c) Users are granted access based on their level of responsibility. The criteria used to
determine who has access to different parts of the system are based on position.
d) ART technical staff performs daily audits on the security methods protecting ART. The
daily auditing report includes number of logins and failed attempts and identifies any
threats to data.
The TMAJBE&S point of contact for this program is Ms. Lennya Bonivento, Health
System Specialist, 703-681-1770, [email protected].

;///J~/~
:1.::~hon
Direc or
TMAJBE&S

Attachments:
As stated