Download: docx | pdf

SUPPORTING STATEMENT

FOR PAPERWORK REDUCTION ACT SUBMISSION

Guaranty Agencies Security Self-Assessment

1. Explain the circumstances that make the collection of information necessary. What is the purpose for this information collection? Identify any legal or administrative requirements that necessitate the collection. Include a citation that authorizes the collection of information. Specify the review type of the collection (new, revision, extension, reinstatement with change, reinstatement without change). If revised, briefly specify the changes. If a rulemaking is involved, list the sections with a brief description of the information collection requirement, and/or changes to sections, if applicable.

This is a request for a revision of the approved information collection used by Federal Student Aid (FSA), an office of the U.S. Department of Education (the Department) to ensure all data collected and managed in support of Federal student financial aid programs is secured.

The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security.

FSA continues to use a formal assessment program of the Guaranty Agencies that ensures the continued confidentiality and integrity of data entrusted to FSA by students and families. The assessment will identify security deficiencies based on the Federal standards described in the National Institute of Standards and Technology (NIST) publications. The comprehensive self-assessment links all questions with a NIST control. This collection of information impacts 19 independently owned Guaranty Agencies (GAs) dispersed throughout the U.S. Each agency is under a signed agreement with the Department of Education to service Federal Family Education Loans that have been turned over from the lending institutions to the GAs for the purpose of student loan collections.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

FSA has established a process for using a detailed self-assessment regarding the information technology security of our Guaranty Agency (GA) partners. This self-assessment will be completed by the GAs participating in the title IV student financial aid programs. FSA will review the responses provide by the GAs to the self-assessment to ensure the security protocols meet our requirements. If concerns are noted, FSA will work with the agency to strengthen any weaknesses.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision of adopting this means of collection. Please identify systems or websites used to electronically collect this information. Also describe any consideration given to using technology to reduce burden. If there is an increase or decrease in burden related to using technology (e.g. using an electronic form, system or website from paper), please explain in number 12.

The assessment is conducted through the completion of an online survey tool to identify and collect evidence of applying the appropriate controls. Guaranty Agencies that have significant weaknesses in their controls and other security gaps will be required to submit an acceptable management plans that includes corrective action plans (CAPs) to resolve controls’ weaknesses and security gaps within approved time-frames. FSA will provide contact information and staff available for calls, and will initiate conference calls that agencies can join to get assistance.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

There is no duplication associated with this collection of information.

5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden. A small entity may be (1) a small business which is deemed to be one that is independently owned and operated and that is not dominant in its field of operation; (2) a small organization that is any not-for-profit enterprise that is independently owned and operated and is not dominant in its field; or (3) a small government jurisdiction, which is a government of a city, county, town, township, school district, or special district with a population of less than 50,000.

This information collection does not impact any small businesses or other small entities.

6. Describe the consequences to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

The nation-wide instances of data breaches within organizations trusted with personal identifiable information continue to climb. To assure the security of the student’s financial information, FSA must implement processes with its external partners to assess and implement strong security policies and controls.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

• requiring respondents to report information to the agency more often than quarterly;

• requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it;

• requiring respondents to submit more than an original and two copies of any document;

• requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;

• in connection with a statistical survey, that is not designed to produce valid and reliable results than can be generalized to the universe of study;

• requiring the use of a statistical data classification that has not been reviewed and approved by OMB;

• that includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or that unnecessarily impedes sharing of data with other agencies for compatible confidential use; or

• requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.

The information being requested is considered Controlled Unclassified Information (CUI) and will contain information that could impact the security of the Guaranty Agencies’ system that is used to service Federal Family Education Loan data. FSA will maintain the information in a security file location with access control; will not share the details of the information with any person external to the Department of Education; and will only allow access to the information internally to those individuals with a need to know. FSA will not maintain hard copies of the information.

8. As applicable, state that the Department has published the 60 and 30 Federal Register notices as required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB.

Include a citation for the 60 day comment period (e.g. Vol. 84 FR ##### and the date of publication). Summarize public comments received in response to the 60 day notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden. If only non-substantive comments are provided, please provide a statement to that effect and that it did not relate or warrant any changes to this information collection request. In your comments, please also indicate the number of public comments received.

For the 30 day notice, indicate that a notice will be published.

Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instruction and record keeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years – even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.

This is a request for a revision of the current information clearance of the self-assessment survey to be completed by the Guaranty Agencies who participate in title IV federal student aid programs.

On July 19, 2022, a Federal Register notice (Vol. 87, No. 137, pages 43016-43017) was published inviting the public to comment on the information collection. During the 60-day public comment period 2 comments were received.  Both commenters requested that FSA delay the implementation of the updated Guaranty Agency Security Self-assessment and Attestation using NIST 800-53 R5 until FY24.  FSA agrees to delay the implementation of the updated self-assessment and attestation until February 2024.

The Department is now requesting a 30-day public comment period.

8. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees with meaningful justification.

There are no payments or gifts provided to respondents.

8. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy. If personally identifiable information (PII) is being collected, a Privacy Act statement should be included on the instrument. Please provide a citation for the Systems of Record Notice and the date a Privacy Impact Assessment was completed as indicated on the IC Data Form. A confidentiality statement with a legal citation that authorizes the pledge of confidentiality should be provided.¹ If the collection is subject to the Privacy Act, the Privacy Act statement is deemed sufficient with respect to confidentiality. If there is no expectation of confidentiality, simply state that the Department makes no pledge about the confidentiality of the data. If no PII will be collected, state that no assurance of confidentiality is provided to respondents. If the Paperwork Burden Statement is not included physically on a form, you may include it here. Please ensure that your response per respondent matches the estimate provided in number 12.

No personally identifiable information will be collected and there will be no system of record created. However, as stated in the response to item 7 above the information being collected is considered Controlled Unclassified Information (CUI) and will contain information that could impact the security of the Guaranty Agencies’ system that is used to service Federal Family Education Loan data. FSA will maintain the information in a security file location with access control; will not share the details of the information with any person external to the Department of Education; and will only allow access to the information internally to those individuals with a need to know. FSA will not maintain hard copies of the information.

8. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. The justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

There are no questions of a sensitive nature as noted above in this collection.

8. Provide estimates of the hour burden for this current information collection request. The statement should:

• Provide an explanation of how the burden was estimated, including identification of burden type: recordkeeping, reporting or third party disclosure. Address changes in burden due to the use of technology (if applicable). Generally, estimates should not include burden hours for customary and usual business practices.

• Please do not include increases in burden and respondents numerically in this table. Explain these changes in number 15.

• Indicate the number of respondents by affected public type (federal government, individuals or households, private sector – businesses or other for-profit, private sector – not-for-profit institutions, farms, state, local or tribal governments), frequency of response, annual hour burden. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desirable.

• If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burden in the table below.

• Provide estimates of annualized cost to respondents of the hour burdens for collections of information, identifying and using appropriate wage rate categories. Use this site to research the appropriate wage rate. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14. If there is no cost to respondents, indicate by entering 0 in the chart below and/or provide a statement.

A single self-assessment form is being used. However, an accompanying attestation is also being requested and those hours to complete the attestation are included in the total hours.

The burden for the collection of information will be consistent between each of the 19 Guaranty Agencies (GAs) providing the information. This is a decrease of 1 agency from the previous information collection filing. An estimate of cost is provided based on similar work being done by individuals contracted by Federal Student Aid to perform like assessments. Increasing number of hours to account for the revision from NIST 800-53 R4 to R5. There is an increase of the number of controls that need to be assessed for each GA (~70 controls and 2 new control families). These estimates are as follows;

3 professional security staff working 8 hours per day for 12 day to collect information and develop reports (3 x 8 x 12 = 288 hours @ $132 per hour = $38,016)*

1 Quality Control staff for one week (1 x 40 = 40 hours @ $132 per hour = $5,280)*

2 Coordination (sum) (2 x 19 = 38 hours @ $164 per hour = $6,560)*

Total burden: FTEs = 366 hours x 19 GAs = 6,954 hours.

Estimated Cost: $49,856 x 19 GAs = $947,264.

This is a decrease of 1 respondents, an increase of 634 hours, and a increase of $89,984 from the previous estimates.

Estimated Annual Burden and Respondent Costs Table

Information Activity or IC (with type of respondent)	Number of Respondents	Number of Responses	Average Burden Hours per Response	Total Annual Burden Hours	Estimated Respondent Average Hourly Wage	Total Annual Costs (hourly wage x total burden hours)
Private Institution	9	9	366	3,294	*See break out above	$448,704
Public Institution	10	10	366	3,660	*See break out above	$498,560
Annualized Totals	19	19		6,954		$947,264

Please ensure the annual total burden, respondents and response match those entered in IC Data Parts

1 and 2, and the response per respondent matches the Paperwork Burden Statement that must be

included on all forms.

8. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

• The cost estimate should be split into two components: (a) a total capital and start-up cost component (annualized over its expected useful life); and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and acquiring and maintaining record storage facilities.

• If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.

• Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government or (4) as part of customary and usual business or private practices. Also, these estimates should not include the hourly costs (i.e., the monetization of the hours) captured above in Item 12.

Total Annualized Capital/Startup Cost :

Total Annual Costs (O&M) :____________________

Total Annualized Costs Requested :

No additional costs are expected beyond what was identified in #12 for completing the self-assessments.

8. Provide estimates of annualized cost to the Federal government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.

Federal FTE Costs

Manager .25 FTE

Support .5 FTE

Coordination (sum) .25 FTE

============================

Approx. 1 FTE @ $155,000 annual

Contractor Costs

Analysis tool creation and initial $198,000

analysis and reporting

Standard Operation Procedures $15,000 one time ($2,000 annual updates)

Annual analysis and reporting $100,000

============================

Startup / first year costs: Approx. $213,000

Annual costs: Approx. $102,000

8. Explain the reasons for any program changes or adjustments. Generally, adjustments in burden result from re-estimating burden and/or from economic phenomenon outside of an agency’s control (e.g., correcting a burden estimate or an organic increase in the size of the reporting universe). Program changes result from a deliberate action that materially changes a collection of information and generally are result of new statute or an agency action (e.g., changing a form, revising regulations, redefining the respondent universe, etc.). Burden changes should be disaggregated by type of change (i.e., adjustment, program change due to new statute, and/or program change due to agency discretion), type of collection (new, revision, extension, reinstatement with change, reinstatement without change) and include totals for changes in burden hours, responses and costs (if applicable).

Provide a descriptive narrative for the reasons of any change in addition to completing the table with the burden hour change(s) here.

	Program Change Due to New Statute	Program Change Due to Agency Discretion	Change Due to Adjustment in Agency Estimate
Total Burden			+634 hours
Total Responses			-1
Total Costs (if applicable)

This is a request for a revision of the approved information collection. There is an increase in the number of hours to account for the revision from NIST 800-53 R4 to R5. There is an increase of the number of controls that need to be assessed for each GA (~70 controls and 2 new control families) and a subsequent increase in burden hours. There are 19 respondents requiring 366 hours per response for a total burden of 6,954 hours, a decrease of 1 respondent and an increase of 634 hours.

8. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

This information will not be published.

8. If seeking approval to not display the expiration date for OMB approval of the

information collection, explain the reasons that display would be inappropriate.

The Department is not seeking this approval. The OMB control number and expiration date will be displayed on the survey template.

8. Explain each exception to the certification statement identified in the Certification of

Paperwork Reduction Act.

There are no exceptions to the certification statement.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement Part A
Author	Authorised User
File Modified	0000-00-00
File Created	2022-09-27