Justificaton for the Non-Substantive Changes - 0960-0789 (IT Mod Revisions)

Justification for the Non-Substantive Changes for

Social Security Administration’s Public Credentialing and Authentication Process

20 CFR 401.45 & 20 CFR 402

OMB No. 0960-0789

Background

Since its establishment in May of 2012, SSA uses the Social Security Administration’s Public Credentialing and Authentication Process (hereafter-called “eAccess”) to provide a secure, centralized gateway to Social Security’s public-facing electronic services. We currently allow users to register both through our eAccess Internet process, and through a personal interview process using the Registration and Customer Support (RCS) screens for in-person or telephone interviews.

We are making additional changes to enhance our system and ensure continued security for our customers. Previously, SSA partnered with the General Services Administration’s login.gov, but still maintained our own credentialing as an option for users. Therefore, customers were able to create an account with login.gov, or elect to create one. To provide additional security moving forward, if customers have an existing login.gov account with Identity Assurance Level (IAL)1 (no identity verification via login.gov) SSA will require them to identity proof to an IAL2 account during their first sign in attempt. This federated identity system (FIS) partner will use the same federal guidelines and principles used by SSA when registering customers. If customers are able to reuse existing credentials, it saves them time and effort because they do not have to go through the my Social Security registration process. Furthermore, they do not have to maintain another set of credentials.

Starting September 2021, the system will prompt all new registrants to create/sign in with an IAL1 login.gov credential to access their my Social Security accounts. The system will then return customers to SSA’s website. If the customers have an IAL1 credential, they will then complete SSA’s identity verification process, which is only done on the first sign in with the login.gov credential. If the customer has an IAL2 login.gov credential, they will proceed to their account. When customers access SSA’s website to sign in to their accounts, SSA’s website will present the customers with a choice to sign in with an eAccess credential or to sign in with a login.gov or ID.me credential. If the customer chooses to sign in with a login.gov credential, SSA’s website will direct the customer to login.gov to provide the login.gov username and password. If the sign in is successful, login.gov will redirect the customer to the my Social Security Terms of Service screen prior to accessing the account.

We are also making additional changes to continuously provide our customers with more options to handle business and personal affairs online. We will also be implementing the use of voice/phone calls for customers to receive their activation codes. This will be in addition to our current options of SMS text message and USPS mail.

In addition, there will be an added new application called the my Social Security Supplemental Security Income Change of Telephone (SSICOT). This application will allow Title XVI only recipients with specific payment status codes to update their phone number through my Social Security. The recipients that are either in current pay status, those under a suspension due to excess countable income, or those suspended due to rep payee/direct pay development are able to use this application. my Social Security SSICOT will be the first program to allow for SSI claimants to update their record.

As always, we continue to update authentication requirements for my Social Security customers to ensure continued security and to enhance the system. We are also making the above changes to allow the Agency to move towards compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-63-3 guidelines in accordance with M-19-17.

We will implement these new, non-substantive revisions by the end of September. Therefore, we are asking for OMB’s approval of these revisions as soon as possible, to ensure we can implement on time.

Revisions to the Collection Instrument

• Change #1: All new registrants will be prompted to create a credential with login.gov to access their my Social Security account.

Justification #1: If customers are able to reuse existing credentials, it saves them time and effort because they do not have to go through the my Social Security registration process. Furthermore, they do not have to maintain another set of credentials.

• Change #2: We will now offer our customers the option to receive an activation code by voice/phone call.

Justification #2: We are continuously providing more options for our customers to handle business and personal affairs online.

• Change #3: Streamlining the registration process to allow better consistency between the registration process, number and type of security controls, and the risk of the digital service being requested.

Justification #3: Provides risk-commensurate control baselines that balance security, usability, and practicability for transactions at different risk levels.

• Change #4: Additionally, we are making some minor changes to screens.

Justification #4: These changes provide better usability for our customers.

Estimates of Public Reporting Burden

We are adjusting the reporting burden to this information collection, because we expect additional customers to register and access the website for the additional services we will offer on our my Social Security landing page. We incorporated the previously mentioned new registrations for representative payees to use RpMRC into our regular Internet registration number (to show the increase as needed). In addition, we also expect the number of respondents or burden hours we reported in our existing burden estimate to change as mentioned below. OMB approved the current burden estimate on 3/30/2021.

The data below is based off our actual Management Information (MI) data for fiscal year 2020. We use different modalities to collect the information, via the Internet and the Intranet. We estimate an additional 350,000 registrations due to my Social Security SSI Change of Phone Number on our my Social Security landing page. Since the packages are less than six months apart, we cannot estimate any additional changes at this time. We estimated the number of minutes for completion by averaging the “time-on-task” figures we obtained from our usability testing.

See chart below with the updated figures:

* We based this figure on average U.S. citizen’s hourly salary, as reported by Bureau of Labor Statistics data (https://www.bls.gov/oes/current/oes_nat.htm#00-0000).

** We based these figures on the average FY 2021 wait times for field offices (24 minutes) and teleservice call centers (19 minutes), based on SSA’s current management information data.

*** This figure does not represent actual costs that SSA is imposing on recipients of Social Security payments to complete this application; rather, these are theoretical opportunity costs for the additional time respondents will spend to complete the application. There is no actual charge to respondents to complete the application.

In addition, OMB’s Office of Information and Regulatory Affairs (OIRA) is requiring SSA to use a rough estimate of a 30-minute, one-way, drive time in our calculations of the time burden for this collection. OIRA based their estimation on a spatial analysis of SSA’s current field office locations and the location of the average population centers based on census tract information, which likely represents a 13.97 mile driving distance for one-way travel. We depict this on the chart below:

****We based this dollar amount on the Average Theoretical Hourly Cost Amount in dollars shown on the burden chart above.

Per OIRA, we include this travel time burden estimate under the 5 CFR 1320.8(a)(4), which requires us to provide “time, effort, or financial resources expended by persons [for]…transmitting, or otherwise disclosing the information,” as well as 5 CFR 1320.8(b)(3)(iii) which requires us to estimate “the average burden collection…to the extent practicable.” SSA notes that we do not obtain or maintain any data on travel times to a field office, nor do we have any data which shows that the average respondent drives to a field office, rather than using any other mode of transport. SSA also acknowledges that respondents’ mode of travel and, therefore, travel times vary widely dependent on region, mode of travel, and actual proximity to a field office.

NOTE: We included the total opportunity cost estimate from this chart in our calculations when showing the total time and opportunity cost estimates in the paragraph below.

The total burden for this ICR is 2,863,305 burden hours (reflecting SSA management information data), which results in an associated theoretical (not actual) opportunity cost financial burden of $204,376,037. SSA does not charge respondents to complete our applications. We base our burden estimates on current management information data, which includes data from actual interviews, as well as from years of conducting this information collection. Per our management information data, we believe that the 1 or 8 minutes listed above accurately shows the average burden per response for reading the instructions, gathering the facts, and answering the questions. Based on our current management information data, the current burden information we provided is accurate.

Future Plans

Due to the agile nature of our projects, we expect to move more applications to our my Social Security landing page, which users access through the electronic access authentication. At this time, we are still finalizing our IT modernization plans for these changes. We expect to submit another change request within six to nine months to request approval for additional updates to the system, and potentially, update the burden again to include more users if we are able to move more applications to our my Social Security landing page.