Download: docx | pdf

Appendix C.1 SNAP State Agency Leaders in Safeguarding PII: Interview Protocol

According to the Paperwork Reduction Act of 1995, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0584-XXXX. The time required to complete this information collection is estimated to average 60 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information.

The U.S. Department of Agriculture Food and Nutrition Service (FNS) has hired our firm, 2M Research (2M), to conduct a study to examine how States are currently protecting the personally identifiable information (PII) of individuals applying to and participating in the Supplemental Nutrition Assistance Program (SNAP). The goal of the study is to gain an improved understanding of the policies and practices that SNAP State Agencies have implemented to safeguard PII included in SNAP applications or maintained in SNAP caseload files and to identify associated best practices.

As part of this study, 2M is conducting telephone interviews with SNAP State Agencies that have been identified as leaders in safeguarding PII. We greatly appreciate your responses to the web survey of all SNAP State Agencies, which helped inform the selection of your agency for participation in this interview. The interview is scheduled to last 1 hour and is composed of three sections: (1) experiences in protecting PII, (2) lessons learned, and (3) on-the-ground insights for improving PII practices.

Do you have any questions about the study?

Permission to Record

For this interview, we will take notes during the discussion. We would like to record the conversation so that we can ensure that our notes are accurate. The recording will only be used for research purposes, and only members of the 2M team will have access to the materials. The information your agency provides will be analyzed as part of all information gathered from the SNAP State Agencies participating in these interviews. In the study’s final report, we will formulate general lessons and present specific examples of experiences, lessons learned, and insights from each SNAP State Agency that participated in the interviews. We will not identify your agency or any other SNAP State Agencies by name in the final report. Do we have your permission to take notes and record this interview?

• If interviewee agrees to be recorded:

  • Thanks—let’s get started. Now, we are going to turn on the recorder (TURN ON RECORDER). Can you please confirm that you have agreed to be recorded?

• If interviewee declines:

  • Okay, that is not a problem. Please bear with us as we take detailed notes.

[Interviewer to read the following statement for county-administered States: Within county-administered systems, the SNAP SAs are responsible for establishing statewide safeguarding requirements in accordance with federal policies, while county-level agencies are given discretion in how to best meet or exceed the requirements set by the SNAP SA. Accordingly, this interview is primarily focused on the statewide safeguarding requirements established by your SA as opposed to the individual requirements established by county-level agencies.]

1. Our records list your title(s) as [interviewee’s title] within [interviewee’s agency]. Can you please confirm this information and describe your roles and responsibilities within your agency?

Probe: How long have you been in your current position?

2. We noted in our previous emails that it would be helpful for your agency to review applicable State legislation and regulations that govern the handling of PII. Can you please briefly describe the State legislation and regulations that govern your agency’s handling of PII?

Topic 1. Experiences in Protecting PII

3. SNAP State Agencies, via FNS regulations and FNS Handbook 901 (The Advance Planning Document Process), are required to adopt a variety of safeguards to ensure adequate security of PII data throughout all phases of the data lifecycle, including when data are in use, in transit, or residing at rest. Can you please provide an overview of your agency’s approach to the following safeguards?

[Interviewer to read each domain, pause and await response, before reading the next domain]:

1. Personnel Policies and Procedures: approaches used to ensure that staff working with PII have met security requirements to access data at approved security levels and to receive regular security training and education

2. Security Policies and Procedures: approaches for implementing a robust security plan; for securing PII across hardware, software, and systems; and for regularly assessing risks and vulnerabilities and performing security testing

3. Program Operations: safeguards used in administering SNAP, such as masking or timeout features, using secure data systems to process information, protecting delivery of SNAP benefits via Electronic Benefits Transfer (EBT), and matching PII to other data sources for eligibility determination or program integrity purposes

Probe: As far as you know, how does your agency’s approach to protecting PII differ from SNAP State Agencies in other States? In what ways is your agency’s approach similar?

4. Are there safeguarding practices used by your agency that you would deem unique or innovative?

Probe: What makes these practices unique or innovative?

5. The contexts in which SNAP State Agencies must operate may contribute to the adequacy of PII security. To what extent has your agency encountered any of the following challenges to safeguarding PII?

   1. Age of the associated data systems

   2. Use of vendor company security services that are inadequate or outdated

   3. Inadequate alignment with other State social service agencies (or other types of State Agencies) that have more advanced and effective safeguards

   4. Limits to resources for IT system security development, security staff training, and/or implementing security protocols (such as those related to threat detection, incident response, testing, etc.)

   5. Focus on other work that has higher and more immediate priority

   6. Unclear or inadequate Federal requirements and guidance

   7. Specific features of the SNAP system that involve PII, such as benefit delivery via EBT; systematic data sharing with other Federal and State Agencies as required to prevent fraud and abuse; access to SNAP data by outside entities such as the Fresh EBT app; and ensuring that children receiving SNAP benefits also receive school nutrition benefits

Probe: How did your agency work to overcome these challenges?

6. In your view, are internal or external threats (coming from inside the agency versus coming from malicious actors residing outside of the agency) a bigger issue for the security of your agency’s PII data? Why?

7. A recent report noted that shortfalls in resources, including inadequate budgets and lack of available cybersecurity talent, are the primary barriers to protecting PII for many State social services agencies.¹ To what extent has your agency encountered these types of barriers, and has it been able to overcome them?

Probe: In the same report, outsourcing was identified as an effective solution to overcoming resource issues. To what extent has your agency used outsourcing?

Probe: In your view, has outsourcing been an effective approach to addressing resource issues?

Probe: In your view, are there any particular challenges related to outsourcing?

8. [If State Agency oversees or has policy responsibility for a county-administered SNAP program] How has operating a county-administered SNAP affected your agency’s safeguarding practices?

Probe: Have the safeguarding processes and procedures used by county IT or county security offices produced challenges in safeguarding PII across the State? Conversely, have these processes and procedures provided ideas for Statewide improvements?

Probe: To what extent have county agencies elected to develop their own data systems? What has been the associated impact of these external systems for safeguarding PII?

9. In the first phase of this study, the 2M team conducted exploratory discussions with FNS staff and several SNAP State Agencies. These discussions identified a preliminary set of safeguarding best practices. Your agency’s survey answers noted that your agency had adopted the following safeguarding practices [Interviewer to read the affirmative responses from the survey and ask the respondent to confirm. In the event that respondents provide a short response, the interviewer will ask the respondent to provide additional contextual information]:

   1. Third-party security or vulnerability testing

   2. Monitoring email communications among staff

   3. Resting encryption

   4. Patch management

   5. Multifactor authentication

   6. National Institute of Standards and Technology (NIST) cybersecurity framework

Probe: [Interviewer to list the practices that the respondent stated were not currently in use]: Is your agency planning to adopt any of these practices within the next 5 years?

Topic 2. Lessons Learned

10. [Remind respondent that the interview is confidential and that individual agencies will not be named in the final report] What internal and external security threats has your agency faced related to SNAP PII data? Has your agency experienced any data breaches?

Probe: If so, can you summarize the nature of the threats or breaches and your agency’s response?

11. Development of a comprehensive security plan is a central component of State efforts to protect PII. However, subject matter experts have suggested that SNAP State Agencies may find it challenging to keep their security plans up to date. To what extent has your agency struggled with updating, understanding, and/or complying with its security plan?

Probe: How did your agency work to overcome these challenges?

12. What are the key lessons that your agency has learned in regard to safeguarding PII? What has worked well, and what hasn’t worked well?

13. From a national perspective, in which areas are the PII safeguarding practices of SNAP State Agencies most in need of improvement?

Probe: What suggestions would you have for FNS and other SNAP State Agencies on improving safeguarding practices?

Topic 3. On-the-Ground Insights for Improving PII Practices

14. As we noted earlier, your agency was identified by other stakeholders as a leader in safeguarding SNAP PII. In your view, what was the process, including the key steps, for your agency to achieve a high level of success in safeguarding PII?

15. Given the need to consider associated costs and feasibility of implementation, what are the critical best practices that you would recommend SNAP State Agencies implement?

Probe: If funding and implementation constraints didn’t exist, what would be the “ideal” set of safeguards that SNAP State Agencies should pursue?

Probe: Are there safeguarding practices implemented by your SNAP State Agency that have limited utility and could be dropped or removed in consideration of resource constraints?

16. Are there any safeguarding practices not yet discussed, which are used at another agency or an external organization, that you think would have value for SNAP State Agencies, including your own? If so, please identify.

Probe: Who are the agency or organizational contacts who could provide information about these practices?

17. Are there SNAP State Agencies in other States that you would consider leaders in safeguarding PII? If so, which ones?

Probe: Why would you consider these other SNAP State Agencies to be leaders?

18. Is there any other information that you’d like to share?

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	SNAP PII: Office of Management and Budget Information Collection Review Package
Subject	1231981BF0081
Author	Andrés Romualdo, MA
File Modified	0000-00-00
File Created	2021-02-06