Justification for the Non-Substantive Changes to 0960-0789

Justification for the Non-Substantive Changes for

Social Security Administration’s Public Credentialing and Authentication Process

20 CFR 401.45, 20 CFR 402

OMB Control Number: 0960-0789

Background

Since we established it in May of 2012, SSA uses the Social Security Administration’s Public Credentialing and Authentication Process (hereafter-called “electronic access” or my Social Security) to provide a secure, centralized gateway to Social Security’s public-facing electronic services.

On April 27, 2019, we are updating some of my Social Security requirements to ensure continued security and to enhance the system. We are also making these changes to allow the agency to move towards compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-63-3 guidelines.

Due to the agile nature of our projects, another change request will follow up within six to nine months to request approval of additional updates to the system.

Revisions to the Collection Instrument

• Change #1: We will display the customer’s Name and DOB on the Registration and Customer Support (RCS) screen to prevent re-entry of those fields. We will also ask the customer to input his or her email address; however, this will be optional at this point in registration.

Justification #1: We are updating this part of the system in order to provide a better customer experience. This allows ease of registration for the customers.

• Change #2: The system will request the customer to complete registration of a second factor before creating an account.

Justification #2: We are updating this in order to ensure continued security and to enhance the system

• Change #3: We will collect and pre-populate the customer’s email address when they request email as a second factor during internet registration. When collecting the email address from RCS, it will be stored in our database and will pre-populate for the customer in the finish setup process.

Justification #3: We are updating this part of the system in order to provide a better customer experience. This allows ease of registration for the customers.

• Change #5: We will increase the maximum character length of a customer’s password to 64 characters.

Justification #5: We are making these changes to allow the agency to move towards compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-63-3 guidelines.

• Change #6: We will send automatic email reminders to our customers that have registered through the RCS in-person process.

Justification #6: These emails are to remind the customers that they have begun the registration process and must go online to finish the account setup process. We will send emails approximately 5-10 days prior to the customer’s activation code expiring.

• Change #7: We will mask all nine digits of the customers Social Security Number (SSN) while the user is going through the registration process.

Justification #7: We are updating this in order to ensure continued security and to enhance the system.

• Change #8: We are revising the Privacy Act Statement on the Internet application as well as on the RCS application.
  
  Justification #8: SSA’s Office of the General Counsel is conducting a systematic review of SSA’s Privacy Act Statements. As a result, SSA is updating the Privacy Act Statement according to their changes on these screens.

These revisions will not change the public reporting burden.