SSN Justification Memo

DEFENSE HEALTH AGENCY

7700 ARLINGTON BOULEVARD, SUITE 5101
FALLS CHURCH, VIRGINIA 22042-5101

March 21, 2025
MEMORANDUM FOR DEFENSE PRIVACY, CIVIL LIBERTIES AND TRANSPARENCY
DIVISION
SUBJECT: Justification for the Use of the Social Security Number (SSN) in the Assistance
Reporting Tool, DoD Information Technology Portfolio Repository (DITPR) #13918
This memorandum is to satisfy the requirements of the Department of Defense
Instruction (DoDI) 1000.30, Reduction of Social Security Number (SSN) Use Within DoD, dated
August 1, 2012, that requires justification of the collection and use of SSNs in DoD systems.
This memo explains the necessity for SSNs to be collected by the Assistance Reporting Tool
(ART). The system of records notice (SORN) applicable to ART is EDTMA 04, Medical/Dental
Claim History Files (October 27, 2015, 80 FR 65720). The Privacy Impact
Assessment (PIA) for ART is fully executed with an expiration date of December 21, 2026.
ART is a secure web-based system and the only official government system used by the
Military Medical Support Office to track authorization determinations for:
•
•
•
•
•

Civilian health care services for remotely-located service members
Civilian line of duty medical care
VA care for members accepted under the DoD/VA MOA
Payment of civilian medical claims
Former members with a medical condition identified during their 180-day transition period

It is also the only government-owned centralized system that captures military treatment
facility and TRICARE-related (non-clinical) questions and issues from beneficiaries and providers.
ART complies with the DoDI 6015.02 requirement to develop and maintain “develop and maintain a
centralized, secure system to capture, manage, and monitor case work for designated BCACs
[Beneficiary Counseling and Assistance Coordinators], DCAOs, [Debt Collection Assistance
Officers], family assistance staff, Military Health System (MHS)
staff, and others serving in a customer service role.”
ART falls under TARS ATO, which was granted on 22 Feb 2025, and is set to expire on 22
Feb 2028.
ART is subject to the Paperwork Reduction Act (PRA) and the OMB Control Number is
0720-0060 with an expiration date of 30 June 2025. The new package is currently in progress
with an expected submission date of April 2025.

In accordance with DoDI 1000.30, continued use of SSNs within ART must be justified
by one or more of the Acceptable Use Cases set forth in DoDI 1000.30, Enclosure 2. The
Acceptable Use Cases applicable to ART are Acceptable Use Case 2.c.(8) Computer Matching,
and 2.c.(11) Legacy System Interface:
(8) Computer Matching. Systems, processes, or forms that interact with other
Government agencies may require the continued use of the SSN as a primary
identifier until such time as the applications to which they are linked move to
some other identifier as a primary means for transferring, matching, or checking
information. These applications shall be rigorously scrutinized to determine the
availability of some other means for conducting these transactions.
(11) Legacy System Interface. Many systems, processes, or forms that do not
meet the criteria in subparagraphs 2.c.(1) through 2.c.(10) of this enclosure for the
continued use of the SSN may not be able to transition to another identifier in a
timely manner due to an interface with a legacy system still using the SSN, or due
to the excessive cost associated with the change. In these cases, the continued use
of the SSN may be acceptable for a specified period of time, provided that
formalized, written plans are in place for the migration away from the SSN in the
future. Plans to alter these use cases must take into account interactions with
other applications as well as all methods for entry, processing, or transfer of
information from said application. It is critical that transfer away from the SSN
does not cause unacceptably long interruptions to continued operations.
ART users rely on other government systems and forms that continue to require the use
of SSN as a primary identifier. These systems and forms include:
•
•
•
•
•
•
•
•
•
•
•

Defense Enrollment Eligibility Reporting System (DEERS)
General Inquiry of DEERS (GIQD)
Marine Corps Medical Entitlements Data System (MCMEDS)
Army Line of Duty (LOD) Module
TRICARE Contractors’ Claims Systems
Air Force AF348
Army DA2173
DBN
MEDCHART
Defense Health Agency - Great Lakes Worksheet-01
Defense Health Agency - Great Lakes Worksheet-02

The following provides a list of the physical, technical, and administrative controls
currently in place in ART to reduce exposure of the SSN:
a) Physical Controls: ART data is stored on DCOPS Virtual Machine (VM) servers. ART backup data is secured in a fire-rated safe on zip drives at a third-party location. Access to the
room is limited to government and government-contracted personnel at the facility with the
proper cypher code to get into the room and the correct combination to the safe.

End-user access to ART is limited to personnel granted an ART account by the DHA
Communications Division. Users access ART via computers at their duty location or on
government-issued laptops. To access the system, users first authenticate to the DHA
network with a valid Common Access Card (CAC).
b) Technical Controls: Access to ART is restricted to authorized users. Users must use their
CAC to access the system. ART requires all users to have a CAC. A username and password
is only issued to new users when the account is created, solely for the purpose of associating
the CAC. Users who make three failed attempts to access ART are locked out. The ART
administrative team may only unlock accounts. The Intrusion Detection System assures
access to only authorized users. ART data exists behind a firewall; assuring communicating
networks are secure and trusted. ART data is provided a high level of security and data
integrity through encryption via MS SQL Server. TDE w/AES-256 encryption is used for
data at rest and SSL/TLS certificates for data in transit which also employ 256 bit encryption.
All backup disks are likewise encrypted via AES-256 encryption.
c) Administrative Controls: Only authorized users are permitted to access ART. Requests for
access are made by completing the System Authorization Access Request (SAAR) form (DD
Form 2875) and submitting it to the DHA Director’s Communications and Public Affairs
Division. Users are granted access based on their role within the MHS. Any ART account
not accessed in a 30-day period will default to an "Inactive" status. The ART administrative
team closes these accounts on a quarterly basis. ART technical staff performs daily audits on
the security methods protecting ART. The daily auditing report includes number of logins or
failed attempts and identifies any threats to data.
The point of contact for this program is Ms. Lennya Bonivento, Director’s Communications
and Public Affairs Division, DHA, 703-681-1770, [email protected].

4/2/2025

SHEDRICK.CHARLE
S.JOSE.1125538459

Digitally signed by
SHEDRICK.CHARLES.JOSE.1125
538459
Date: 2025.04.03 11:38:29 -05'00'

X

Ernest R Smith

Ernest Smith
Project Manager
Signed by: DHA

ERNEST R. SMITH
Project Manager, WMT SDD
...