Addendum to the Supporting Statement for
Social Security Administration’s Public Credentialing and
Authentication Process
20 CFR 401.45, 20 CFR 402
OMB No. 0960-0789
Background
On October 17, 2014, President Obama signed an executive order on cyber security. The order focuses on protecting citizens from identity theft and directs federal agencies to provide more secure authentication for their online services. Specifically, the order requires multifactor authentication for any agency application that accesses personal information. Prior to June 2017, SSA offered multifactor authentication, but only for customers who opted to register for extra security, which requires the additional verification of financial records. Because of the executive order, SSA is expanding its existing capabilities to require multifactor authentication for every online sign in. We also allow for maintenance of the multifactor options for our customers.
Electronic access is the centralized authentication utility for access to the my Social Security (mySSA) public-facing electronic services. Since its release in May 2012, more than 28 million individuals received mySSA credentials. From May 2012 until mid-June 2017, multifactor authentication was optional for mySSA customers. It involved sending a security code by text message to a customer’s confirmed cell phone number. On 5/9/17, OMB approved a Change Request, which allowed us to include multifactor authentication using either a cell phone or email address. With the June 2017 release, we added email as another multifactor option. Effective June 10, 2017, we always require mySSA customers to receive a security code via email or via text message each time they sign in. They must provide this code back to us during the online registration and sign in authentication processes, for both standard accounts and accounts with extra security.
Revisions to the Collection Instrument
Language Change to the Sign In Terms of Service
Change #1: We made minor changes to the sign in Terms of Service language.
The following is the old language for the Terms of Service screen.
I am using this service with the account that I created myself using my own personal information and identity. I am not using an account created by another person or created using another person's information or identity, even if I have that person's written permission.
I will never share the use of my account with anyone else under any circumstances. I will never use another person's account.
I understand that this computer program contains U.S. Government information.
I consent to the monitoring and recording of my use of this program to ensure its appropriate use.
I understand that it is a federal crime to:
Give false or misleading statements to obtain information in Social Security records; or
Deceive the Social Security Administration of an individual's identity.
I understand that unauthorized use of this service is a misrepresentation of my identity to the federal government and could subject me to criminal or civil penalties, or both.
I understand that Social Security may stop me from using these services online if it finds or suspects misuse.
I accept that the responsibility to properly protect any information provided to me by Social Security is mine and that I am the responsible party should any information on or from my computer or other device be improperly disclosed. I agree that Social Security is not responsible for the improper disclosure of any information that Social Security has provided to me, whether due to my negligence or the wrongful acts of others.
The following is the new language for the Terms of Service screen, with changes highlighted.
I am using my Social Security account services with the account that I created myself using my own personal information and identity. I am not using a my Social Security account created by another person or created using another person's information or identity, even if I have that person's written permission.
I will never share the use of my Social Security account with anyone else under any circumstances. I will never use another person's my Social Security account.
I understand that my Social Security contains U.S. Government information.
I consent to the monitoring and recording of my use of my Social Security services, including any electronic communications (such as click-to-chat or messaging).
I understand that it is a federal crime to:
Give false or misleading statements to obtain information in Social Security records; or
Deceive the Social Security Administration about an individual's identity.
I understand that unauthorized use of my Social Security services is a misrepresentation of my identity to the federal government and could subject me to criminal or civil penalties, or both.
I understand that the Social Security Administration may stop me from using my Social Security services online if it finds or suspects misuse.
I accept that the responsibility to properly protect any information provided to me by the Social Security Administration is mine and that I am the responsible party should any information on or from my computer or other device be improperly disclosed.
I agree that the Social Security Administration is not responsible for the improper disclosure of any information the Social Security Administration has provided to me, whether due to my negligence or the wrongful acts of others.
Justification #1: We made minor changes to the sign in Terms of Service language to accommodate new “Click‑to-Chat” functionality as part of the my Social Security Customer Engagement Tools enhancements. We will implement this change as soon as possible
Language Change to the Privacy Act Statement for Internet and Intranet
Change #2: We made minor changes to the eAccess Internet Privacy Act Statement. We will implement this change as soon as possible.
The following is the old language for the Internet Privacy Act Statement screen.
Privacy Act Statement
Collection and Use of Personal Information
Section 205 of the Social Security Act, as amended; the Government Paperwork Elimination Act (P.L. 105-277); and the Federal Information Security Management Act of 2002 (Title III) of the E-Government Act of 2002 (P.L. 107-347) authorize us to collect this information to allow you access to our online services.
This Privacy Act Statement applies to the entire online authentication process and credential issuance, which includes account setup to account maintenance.
We need this information to identify who you are before we provide you with the information you are requesting. Your response is voluntary. However, failure to provide the requested information may prevent you from using our online services.
We use the information you give us to verify your identity against our records. We also use an external Identity Services Provider to verify your information against their records. We do not share your Social Security number with them, and they keep your information only for the period of time permitted by federal laws, regulations, or guidelines. We use their fraud prevention services to assist in protecting you from identity theft.
We rarely use the information you supply for any purpose other than to verify your identity. However, we may use it for the administration and integrity of our Social Security programs. We may also disclose information to another person or to another agency in accordance with approved routine uses, which include, but are not limited to, the following:
To comply with Federal laws requiring the release of information from Social Security records (e.g. to the Government Accountability Office and Department of Veterans Affairs);
To facilitate statistical research, audit, or investigative activities necessary to assure the integrity and improvement of Social Security programs;
To respond to a request on your behalf from a Congressional office or the Office of the President; and
To share necessary information with other Federal agencies and our contractors, including external data sources, to assist us in efficiently administering our programs.
A complete list of routine uses for this information is available in our System of Records Notice entitled, Central Repository of Electronic Authentication Data Master File (60-0373). The notice, additional information regarding this form, and any other information regarding our programs are available online at www.socialsecurity.gov or at your local Social Security office.
The following is the new language for the Internet Privacy Act Statement screen, with changes highlighted.
Privacy
Act Statement
Collection and Use of Personal Information
Section 205 of the Social Security Act, as amended; the Government Paperwork Elimination Act (P.L. 105-277); and the Federal Information Security Management Act of 2002 (Title III) of the E-Government Act of 2002 (P.L. 107-347) authorize us to collect this information to allow you access to our online services. Furnishing us this information is voluntary. However, failing to provide all or part of the information may prevent you from using our online services.
We will use the information to identify who you are before we provide you with the information you are requesting. We also use an external Identity Services Provider to verify your information against their records. We do not share your Social Security number with them, and they keep your information only for the time permitted by federal laws. We use their fraud prevention services to assist in protecting you from identity theft. We may also share your information for the following purposes, called routine uses:
To other Federal agencies and our contractors, including external data sources, to assist us in administering our programs; and
To appropriate Federal, State, and local agencies, entities, and persons when: (a) We suspect or confirm a compromise of security or confidentiality of information; (b) We determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, risk of identity theft or fraud, or harm to the security or integrity of this system or other systems or programs that rely upon the compromised information; and (c) We determine that disclosing the information to such agencies, entities, and persons will assist us in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
In addition, we may share this information in accordance with the Privacy Act and other Federal laws. For example, where authorized, we may use and disclose this information in computer matching programs, in which our records are compared with other records to establish or verify a person’s eligibility for Federal benefit programs and for repayment of incorrect or delinquent debts under these programs.
A
list of additional
routine uses is available in our Privacy
Act
System of Records Notice (SORN)
60-0373,
entitled Central Repository of Electronic Authentication Data Master
File. Additional information and
a full listing of all our SORNs
are available on
our website
at www.socialsecurity.gov/foia/bluebook.
This
Privacy Act Statement applies to the entire online authentication
process and credential issuance, which includes account setup to
account maintenance.
Justification #2: The old Privacy language was outdated, and we needed to update it.
Change #3: We replaced the Registration and Customer Support (RCS) Intranet Privacy Act Statement. We will implement this change as soon as possible.
The following is the old language for the RCS Intranet Privacy Act Statement screen.
Privacy Act Statement
Collection and Use of Personal Information
Section 205 of the Social Security Act, as amended; the Government Paperwork Elimination Act (P.L. 105-277); and the Federal Information Security Management Act of 2002 (Title III) of the E-Government Act of 2002 (P.L. 107-347) authorize us to collect this information to allow access to our online applications.
This Privacy Act Statement applies to our new authentication and credential issuance process, which includes account setup to account maintenance.
We need this information to identify quickly who you are and provide the information you requested. Your response is voluntary. However, failure to provide the requested information may prevent you from using our online services.
We use the information you give us to verify your identity against our records. We also use an external Identity Services Provider to verify your information against their records. We do not share your Social Security number with them, and they keep your information only for the period of time permitted by federal laws, regulations, or guidelines. We use their fraud prevention services to assist in protecting you from identity theft.
We rarely use the information you supply for any purpose other than to verify your identity. However, we may use it for the administration and integrity of Social Security programs. We may also disclose information to another person or to another agency in accordance with approved routine uses, which include, but are not limited to, the following:
To comply with Federal laws requiring the release of information from Social Security records (e.g. to the Government Accountability Office and Department of Veterans Affairs);
To facilitate statistical research, audit, or investigative activities necessary to assure the integrity and improvement of Social Security programs;
To respond to a request on your behalf from a Congressional office or the Office of the President; and;
To share necessary information with other Federal agencies and our contractors, including external data sources, to assist us in efficiently administering our programs.
A complete list of routine uses for this information is available in our System of Records Notice entitled, Central Repository of Electronic Authentication Data Master File (60-0373). The notice, additional information regarding this form, and any other information regarding our programs are available online at www.socialsecurity.gov or at your local Social Security office.
Explanations about these and other reasons why we use or give out information you provide are available in Social Security offices. If you want to learn more about this, contact any Social Security office.
The following is the new language for the RCS Intranet Privacy Act Statement screen. This language replaces the old language.
Privacy
Act Statement
Collection and Use of Personal Information
Section 205 of the Social Security Act, as amended; the Government Paperwork Elimination Act (P.L. 105-277); and the Federal Information Security Management Act of 2002 (Title III) of the E-Government Act of 2002 (P.L. 107-347) authorize us to collect this information to allow you access to our online services. Furnishing us this information is voluntary. However, failing to provide all or part of the information may prevent you from using our online services.
We will use the information to identify who you are before we provide you with the information you are requesting. We also use an external Identity Services Provider to verify your information against their records. We do not share your Social Security number with them, and they keep your information only for the time permitted by federal laws. We use their fraud prevention services to assist in protecting you from identity theft. We may also share your information for the following purposes, called routine uses:
To other Federal agencies and our contractors, including external data sources, to assist us in administering our programs; and
To appropriate Federal, State, and local agencies, entities, and persons when: (a) We suspect or confirm a compromise of security or confidentiality of information; (b) We determine that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, risk of identity theft or fraud, or harm to the security or integrity of this system or other systems or programs that rely upon the compromised information; and (c) We determine that disclosing the information to such agencies, entities, and persons will assist us in our efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
In addition, we may share this information in accordance with the Privacy Act and other Federal laws. For example, where authorized, we may use and disclose this information in computer matching programs, in which our records are compared with other records to establish or verify a person’s eligibility for Federal benefit programs and for repayment of incorrect or delinquent debts under these programs.
A
list of additional routine uses is available in our Privacy Act
System of Records Notice (SORN) 60-0373,
entitled
Central
Repository of Electronic Authentication Data Master File.
Additional information and a full listing of all our SORNs are
available on our website at www.socialsecurity.gov/foia/bluebook.
This Privacy Act Statement applies to the entire online authentication process and credential issuance, which includes account setup to account maintenance.
Justification #3: The old Privacy language was outdated, and we needed to update it.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Banack, Terri |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |