Justification for the Non-Substantive Changes to 0960-0789

Justification for the Non-Substantive Changes for

Social Security Administration’s Public Credentialing and Authentication Process

20 CFR 401.45, 20 CFR 402

OMB Control Number 0960-0789

Background

Since we established it in May of 2012, SSA uses the Social Security Administration’s Public Credentialing and Authentication Process (hereafter called “electronic access” or my Social Security) to provide a secure, centralized gateway to Social Security’s public-facing electronic services. In an effort to meet the Agency’s strategic goal to deliver innovative, quality services, we are placing several new applications behind the electronic access system.

On October 28, 2015, the House amended and passed the Senate Amendment Bipartisan Budget Act (BBA) of 2015. The BBA reallocates funds from the Old-Age and Survivors Insurance trust fund to Disability Insurance (DI) trust fund to ensure payments of full disability benefits into 2022. The BBA required SSA to implement a system that would permit DI beneficiaries to report their earnings via electronic means, similar to what is available for Title XVI recipients, which requires an automated receipt for wage reporting. SSA took the initiative to include DI work reporting and Supplemental Security Income (SSI) wage and work reporting.  We placed this application behind the electronic access system and called it my Wage Report.

Recently SSA data indicated increasing levels of anomalous claims in the agency’s online initial claims process (Internet Claim or iClaim).  The issue is focused on submittals that include retirement and retirement/disability claims. The agency is implementing authentication for iClaim to reduce the number of anomalous Internet claims. By doing so, we will ask customers applying for themselves who wish to access iClaim to register and sign in to a my Social Security account to submit a claim. Some customers, including those applying for someone else, may not be able to complete the authentication process. Any claims submitted by unauthenticated applicants will be processed through a distinct business process from those applicants who are authenticated.

My Representative Payee Accounting (my RPA) will provide Representative Payees the capability to complete their Annual Accounting responsibility online within the my Social Security suite of services. A legacy application with many of the same capabilities currently exists behind SSA’s Business Services Online portal. However, the application suffers from low usage and lower user satisfaction scores than other similar applications. My RPA aims to address these issues by leveraging the high user population and satisfaction levels of the my Social Security portal.

Finally, we are updating some of the my Social Security requirements to stay abreast with the guidelines. We will restructure the Password Reset Questions for my Social Security accounts to make sure that no two answers are the same, and that the length of the answers will have to be at least two characters long. We are doing this to strengthen the account recovery process and to prevent fraudulent account takeovers. In addition, we are discontinuing the expiration of passwords arbitrarily. Once the project releases, passwords will no longer expire, but the user can still change them. The latest National Institute of Standards and Technology (NIST) 800-63 Digital Identity Guidelines does not require users to change memorized secrets arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.

Revisions to the Collection Instrument

• Change #1: The Title II and Title XVI Wage Reporting application (my Wage Report) will use the electronic access system (my Social Security) for registration and authentication of its users.

Justification #1: The Bipartisan Budget Act of 2015, Section 826 required us to implement a system that would permit Disability Insurance (DI) beneficiaries to report their earnings via electronic means. Placing this application behind my Social Security provides a secure electronic service delivery channel for our customers.

• Change #2: The Internet Claim (iClaim) application will use the my Social Security electronic access process for registration and authentication of its users.

Justification #2: iClaim will use the my Social Security electronic access process for registration and authentication to reduce the amount of anomalous claims in the agency’s online initial claims process by authenticating individuals prior to accessing the system.

• Change #3: We will release a version of the Individual Representative Payee Accounting application that is currently in our Business Services Online (BSO) Suite of Services. We will call this new version my Representative Payee Accounting and we will place it behind the my Social Security electronic access portal for registration and authentication of its users.

Justification #3: We are releasing the my Representative Payee Accounting application behind my Social Security to provide a secure electronic service delivery channel for our customers.

• Change #4: We will restructure the Password Reset Questions for my Social Security accounts to make sure that no two answers are the same, and to ensure the length of the answers must be at least two characters long. We are also discontinuing the arbitrary expiration of passwords. Once the project releases, passwords will no longer expire, but the user can still change them. The sign-in page will show ‘Enter Activation Code’ under the ‘Finish Setting up Your Account’ section.

Justification #4: We are restructuring the Password Reset Question process to strengthen the account recovery process and to prevent fraudulent account takeovers. We are also updating the password requirements to remove the expiration date. The latest National Institute of Standards and Technology (NIST) 800-63 Digital Identity Guidelines does not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.

Estimates of Public Reporting Burden

We are adjusting the reporting burden to this information collection, because we expect additional customers to register and access the website for the additional services we will offer behind the my Social Security electronic access portal. We also expect the number of respondents or burden hours we reported in our existing burden estimate to change due to normal fluctuation in usage. OMB approved the current burden estimate on 12/13/2017.

We estimate that 64,030,538 respondents will use the Internet process annually to create and manage an account with SSA and then authenticate to gain access to our secured online services. We estimate that it takes an average of 8 minutes to complete a transaction, resulting in an annual reporting burden of 8,537,405 hours.

We estimate that 3,366,974 respondents will use the Intranet process annually to create and manage an account with us. We estimate that it takes an average of 8 minutes to complete this transaction, resulting in an annual reporting burden of 448,930 hours.

We use different modalities to collect the information, via the Internet and the Intranet. We included an estimated number of registrations and sign-ins when we calculated the total number of annual respondents. Taking data from each application sponsor, we estimated that an additional 2,347,050 registrations will occur due to the additional services offered. We estimated the number of minutes for completion by averaging the “time-on-task” figures we obtained from our usability testing.

See chart below with the updated figures:

The total annual burden for this information collection is 8,986,335 hours.