0596-0204 Financial info security SuptStmt 02162018

0596-0204 Financial info security SuptStmt 02162018.docx

Financial Information Security Request Form

OMB: 0596-0204

Document [docx]
Download: docx | pdf



The 2018 Supporting Statement for OMB 0596-0204

Financial Information Security Request Form


Please Note: This information is collected from both Forest Service (FS) employees and federally employed contractors. The Paperwork Reduction Act of 1995 only covers burden on the public and not federal employees. The burden figures in this collection cover only the contractors and not the FS federal employees.

  1. Justification

  1. Explain the circumstances that make the col­lection of information necessary. Iden­tify any legal or administrative require­ments that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the col­lection of information.

Regulations:

  • DR 3140-001 (USDA Information Systems Security Policy)

  • DM 3515-000 (USDA Privacy Requirements)

  • Public Law 107-347 - Federal Information Security Management Act of 2002

  • Public Law 104-106 – Information Technology Management Reform Act of 1996

  • Title VI: NFC Security Access Procedures, Chapter 1 – Agency Liaison and Security Access, Section I: Security Access (unavailable electronically from NFC due to security constraints). The Guidelines Security Officers follow are defined in the NFC Client Security Officer Training Manual that is a part of the NFC Security Access Procedures noted above.

The majority of the Forest Service’s financial records are in databases stored at the National Finance Center (NFC). These records are maintained by both Forest Service employees and contractors who must receive access to NFC to perform essential duties. USDA DR-3140 and USDA DM-3140 require managers of computer processing operations to provide controlled access to facilities and computer resources. USDA agencies must designate unit (Automated Data Processing) Security Officers (Client Security Officer) to manage access to computers and to coordinate requests for National Finance Center (NFC) access. NFC grants access to users only at the request of Client Security Officers. In order for personnel to place their request with the Client Security Officer to gain access to NFC, the Forest Service (FS) uses the internal electronic form FS-6500-214 Financial Information Security Request. Prior to filling out the form, FS employees and contractors must first complete specific training before a user may request access to certain financial systems. Once the trainings are successfully passed, applicants complete and submit the request form to the Client Security Officer for review and processing.

  1. Indicate how, by whom, and for what pur­pose the information is to be used. Except for a new collec­tion, indicate the actual use the agency has made of the infor­ma­tion received from the current collec­tion.

  1. What information will be collected - reported or recorded? (If there are pieces of information that are especially burdensome in the collection, a specific explanation should be provided.)

The employee/contractor (applicant) and the Forest Service Database provide the information necessary to complete form, FS-6500-214. The applicant verifies completion of two courses within the last year: Privacy Act Basics and IT (Information Technology) Security. The applicant then enters his/her Forest Service assigned short name (first letter of first name plus last name) assigned by the Forest Service. Using the assigned short name, the screen is populated with information that the contractor can change if incorrect: Name, work email address, work telephone number, and job title.

The applicant checks the appropriate box for a federal/contracted employee and provides the expiration date of the contract if applicable. The applicant then selects the databases and actions needed. Based on the database(s) selected, the applicant provides additional information regarding the financial systems, work location, access scope, etc. Once the form is submitted to the Client Security Officer, a one-page agreement automatically prints, which the applicant and Client Security Officer will sign. The agreement is a certification statement that acknowledges the employee/contractor’s recognition of the sensitive nature of the information and agrees to use the information only for authorized purposes.

  1. From whom will the information be collected? If there are different respondent categories (e.g., loan applicant versus a bank versus an appraiser), each should be described along with the type of collection activity that applies.

This information is collected from both federal employees and contracted employees who maintain financial records stored at NFC.

  1. What will this information be used for - provide ALL uses?

The information will be used to ensure the required training has been completed and to determine what level of access to NFC financial systems is to be granted to the applicant.

  1. How will the information be collected (e.g., forms, non-forms, electronically, face-to-face, over the phone, over the Internet)? Does the respondent have multiple options for providing the information? If so, what are they?

Web-based electronic form FS-6500-214 is the only option used to gather the information.

  1. How frequently will the information be collected?

Collection occurs approximately three times per applicant – for example, when an applicant is hired, when an applicant’s access requires modification to access more systems; and finally, when an applicant’s access is terminated due to retirement or separation.

  1. Will the information be shared with any other organizations inside or outside USDA or the government?

This information is shared with only those managing or overseeing the financial systems used by the Forest Service, including auditors.

  1. If this is an ongoing collection, how have the collection requirements changed over time?

The collection requirements have not changed over time.


  1. Describe whether, and to what extent, the collection of information involves the use of auto­mat­ed, elec­tronic, mechani­cal, or other techno­log­ical collection techniques or other forms of information technol­o­gy, e.g. permit­ting elec­tronic sub­mission of respons­es, and the basis for the decision for adopting this means of collection. Also, describe any con­sideration of using in­fo­r­m­a­t­ion technolo­gy to re­duce bur­den.

Except for a short acknowledgement form printed at the end of the application process, the information collection occurs within the electronic environment using form FS-6500-214. The form consists of a series of data entry screens. Some data items self-populate the screen after entry of the applicant’s assigned short name (first letter of first name plus last name). Required fields are automatically flagged for the user, and must be filled out before user can move to the next screen.

The form is submitted electronically to the Client Security Officer for approval. An automatic process includes a response to the user, acknowledging receipt of the form. The form’s data fields are validated using data stored electronically at NFC. It takes approximately 10 minutes to complete and submit the access request. Use of the web-based electronic form has eliminated redundant requests, reducing burden.

  1. Describe efforts to identify duplica­tion. Show specifically why any sim­ilar in­for­mation already avail­able cannot be used or modified for use for the purpos­es de­scri­bed in Item 2 above.

The information collected is unique to the Forest Service. Collection of the information occurs as needed for the specific purpose of requesting and acquiring access to NFC data. This information collection is necessary to meet information security and financial management requirements.

  1. If the collection of information im­pacts small businesses or other small entities, describe any methods used to mini­mize burden.

The information has no impact on small businesses or other small entities, other than those contracting with the Forest Service to provide assistance in maintaining financial records. All applicants, both Forest Service employees and paid contract employees, are paid for the time to provide this information, as it is provided during official on-duty time, in relation to their official duties. The impact is minimal necessary to meet regulations and does not place an undue burden on contractors or employees.

  1. Describe the consequence to Federal program or policy activities if the collection is not conducted or is con­ducted less fre­quent­ly, as well as any technical or legal obstacles to reducing burden.

Without the collection of this information, employees and contracted employees would not be able to request access to the records necessary to accomplish duties.



  1. Explain any special circumstances that would cause an information collecti­on to be con­ducted in a manner:

  • Requiring respondents to report informa­tion to the agency more often than quarterly;

Although there is no specific requirement, applicants switching jobs, acquiring additional duties, and filling in for co-workers would necessitate requesting modifications to NFC access and documentation for security audits that may occur more often than quarterly.

  • Requiring respondents to prepare a writ­ten response to a collection of infor­ma­tion in fewer than 30 days after receipt of it;

Due to the nature of these requests, they are typically completed in fewer than 30 days of receipt.

  • Requiring respondents to submit more than an original and two copies of any docu­ment;

  • Requiring respondents to retain re­cords, other than health, medical, governm­ent contract, grant-in-aid, or tax records for more than three years;

  • In connection with a statisti­cal sur­vey, that is not de­signed to produce valid and reli­able results that can be general­ized to the uni­verse of study;

  • Requiring the use of a statis­tical data classi­fication that has not been re­vie­wed and approved by OMB;

  • That includes a pledge of confidentiality that is not supported by au­thority estab­lished in statute or regu­la­tion, that is not sup­ported by dis­closure and data security policies that are consistent with the pledge, or which unneces­sarily impedes shar­ing of data with other agencies for com­patible confiden­tial use; or

  • Requiring respondents to submit propri­etary trade secret, or other confidential information unless the agency can demon­strate that it has instituted procedures to protect the information's confidentiality to the extent permit­ted by law.

There are no other special circumstances. The collection of information is conducted in a manner consistent with the guidelines in 5 CFR 1320.6.

  1. If applicable, provide a copy and iden­tify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8 (d), soliciting com­ments on the information collection prior to submission to OMB. Summarize public com­ments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address com­ments received on cost and hour burden.

A Federal Register notice requesting comment was published on November 21, 2017, Page 55347. No comments were received in response to the notice.

Describe efforts to consult with persons out­side the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and record keeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

This form is for internal use only by Forest Service employees and contracted employees.

In an effort to consult with persons outside the agency, we sent screen shots of our electronic form to the Security Officer at the Department of Agriculture to disseminate to other agencies that have similar OMB requirement; to provide us feedback regarding clarity of instruction and other disclosures on the form. We received feedback only from the Security Officer at the Department. The Department’s Security Officer’s feedback was related to issues of typographical errors and navigation. We included “Next” and “Previous” buttons on the form to help users navigate back and forth on the form. We also included instructions on how to start a new request on the final page of the form to help users interested in completing multiple requests.

Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years even if the col­lection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.

The following Forest Service contracted employees have completed the form and provided comments below:

  • Lisa Matthews, CGI, CFO Financial Management

  • Dena-Kay Brown, Business Analyst, NSGI

  • Jameson Simek, Senior Consultant, CGI

Overall, the comments received stated that the system access form is straight-forward and easy to complete. The information requested is relevant to the purpose of the form. One of the primary benefits is that the form is concise and can be completed quickly. Each of the contracted employees interviewed expressed concern for data security and was confident that the form will help provide some oversight. They believe contractors and employees should be trained on what system they need access to before completing the form.


        1. Explain any decision to provide any payment or gift to respondents, other than re-enumeration of contractors or grantees.

Respondents do not receive payments or gifts for responses other than re-enumeration to applicants for their official on-duty time while attending the required training and providing this information.

  1. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.

The applicants are responding as part of their official duties and responsibilities. There is no assurance of confidentiality.

  1. Provide additional justification for any questions of a sensitive nature, such as sexual behavior or attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

There are no questions of a sensitive nature associated with this information collection.

  1. Provide estimates of the hour burden of the collection of information. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated.

The burden figures in Table 1 estimate that 209 contractors use the FS 6500-214 in a given year. The number of agency contractors, 209 is an average of the number of individual FS 6500-214’s received by the Albuquerque Service Center’s Security branch from contractors in the last 5 years (2013-2017). In addition, the number of responses per contractor respondent is an estimate. An applicant only has to complete the IT Security Training and Privacy Act Basic Training annually. Form-6500-214 may be used multiple times by the same respondent depending on the financial systems he/she is requesting to access.


The burden per response was estimated by measuring the time it took several first-time contracted employees to complete the form.

Table 1

( a )
Description of
Collection Activity

( b )
Form
Number

( c )
Number of
Respondents


( d )
Number of
responses
annually per
Respondent

( e )
Total
annual
responses
( c x d )

( f )
Estimate
of Burden
Hours per
response

( g )
Total Annual
Burden
Hours
( e x f )

IT Security Training by Contracted Employee

n/a

209

1

209

30 minutes

105

Privacy Act Basic Training by Contracted Employee

n/a

209

1

209

30 minutes

105

Completion of form by Contracted Employee

FS-6500-214

209

3

627

10 minutes

105

 

 

 

 

 

 

 

Total

-

-

-

1,045

-

315



Note: In the 2014 re-certification of this form, the number of respondents, 415 was overestimated, and as a result, the total annual burden hours was also overestimated. The number of respondents was also overestimated in the Federal Register issued for this re-certification, and has been adjusted in the table above.

Record keeping burden –there is no record keeping requirement placed upon the respondents in relation to this information collection.

Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories.

The Bureau of Labor Statistics’ report on “National Occupational Employment and Wage Estimates, (http://www.bls.gov/oes/current/oes_nat.htm) was used to determine the mean wage of $46.17/hour to determine the annualized cost to respondents. May 2016 estimate is the most recent estimate. For an information security analyst contractor to attend training and to provide the necessary information. A total of 315 hours multiplied by $46.17 per hour = $14,544 (rounded.).

  1. Provide estimates of the total annual cost burden to respondents or record keepers resulting from the collection of information, (do not include the cost of any hour burden shown in items 12 and 14). The cost estimates should be split into two components: (a) a total capital and start-up cost component annualized over its expected useful life; and (b) a total operation and maintenance and purchase of services component.

There are no start-up/capital or operation/maintenance costs.

  1. Provide estimates of annualized cost to the Federal government. Provide a description of the method used to estimate cost and any other expense that would not have been incurred without this collection of information.

Table 2


Activity

Cost to Government

Forest Service Employee Labor for reviewing, approving, and filing signed acknowledgement forms per annum.

627 forms per year multiplied by 10 minutes per form = 105 hours multiplied by cost to government of GS-7/Step-5 ($24.41) = $2,563.

Forest Service Employee Labor for developing computer systems and screens to collect information

Cost to develop the program:

There are no additional costs beyond those originally incurred to develop program.

Cost of Contractors

209 contractor hours multiplied by $46.17 per hour = $9,649.53

Total Cost to Government

$9,649.53 +2,563 = $12,213




The OPM 2017 Salary Table for the locality pay area of the Washington, DC area was used for the basic hourly wage of a GS-7/Step 5 at $24.41/hour.



  1. Explain the reasons for any program changes or adjustments reported in items 13 or 14 of OMB form 83-I.

There were errors in burden rate and number of respondents in prior year submissions which have been corrected. The estimated number of respondents did change from 415 to 209 due to counting contractors who don’t need access to agency financial systems to do their job.

16. For collections of information whose results are planned to be published, outline plans for tabulation and publication.

There are no plans to publish the results of this information collection.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

The Forest Service is seeking approval to omit the expiration date of the OMB approval, as the electronic form and data collection process are used exclusively by paid contractors and Forest Service employees on an internal, closed system. Including the expiration date would cause confusion to respondents as they may confuse the OMB expiration date with the term of the authority and agreement.

18. Explain each exception to the certification statement identified in item 19, "Certification Requirement for Paperwork Reduction Act."

There are no exceptions to the Certification Requirement for the Paperwork Reduction Act. The Agency is able to certify compliance with 5 CFR 1320.

Page 1 of 6


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2021-01-21

© 2024 OMB.report | Privacy Policy