The Social Security Administration (SSA) publishes a list of information collection packages requiring clearance by the Office of Management and Budget (OMB) in compliance with Public Law 104–13, the Paperwork Reduction Act of 1995, effective October 1, 1995. This notice includes revisions of OMB-approved information collections.

SSA is soliciting comments on the accuracy of the agency's burden estimate; the need for the information; its practical utility; ways to enhance its quality, utility, and clarity; and ways to minimize burden on respondents, including the use of automated collection techniques or other forms of information technology. Mail, email, or fax your comments and recommendations on the information collection(s) to the OMB Desk Officer and SSA Reports Clearance Officer at the following addresses or fax numbers.

(OMB) Office of Management and Budget, Attn: Desk Officer for SSA, Fax: 202–395–6974, Email address: OIRA_Submission@omb.eop.gov.

Submit your comments online referencing Docket ID Number [SSA–2023–0035].

(SSA) Social Security Administration, OLCA, Attn: Reports Clearance Director, Mail Stop 3253 Altmeyer, 6401 Security Blvd., Baltimore, MD 21235, Fax: 833–410–1631, Email address: OR.Reports.Clearance@ssa.gov.

Or you may submit your comments online through https://www.reginfo.gov/​public/​do/​PRAMain, referencing Docket ID Number [SSA–2023–0035].

I. The information collections below are pending at SSA. SSA will submit them to OMB within 60 days from the date of this notice. To be sure we consider your comments, we must receive them no later than November 7, 2023. Individuals can obtain copies of the collection instruments by writing to the above email address.

1. Agreement to Sell Property—20 CFR 416.1240—1245—0960—0127. Individuals or couples who are otherwise eligible for Supplemental Security Income (SSI) payments, but whose resources exceed the allowable limit, may receive conditional payments if they agree to dispose of the excess non-liquid resources and make repayments. SSA uses Form SSA–8060–U3 to document this agreement, and to ensure the individuals understand their obligations. Respondents are applicants for and recipients of SSI payments who will be disposing of excess non-liquid resources.

Type of Request: Revision of an OMB-approved information collection.

2. Work Activity Report (Self-Employment)—20 CFR 404.1520(b), 404.1571—404.1576, 404.1584—404.1593, and 416.971—416.976—0960–0598. SSA uses Form SSA–820–BK to determine initial or continuing eligibility for: (1) Title II Social Security disability benefits (SSDI); or (2) Title XVI SSI payments. Under Titles II and XVI of the Social Security Act, recipients receive disability benefits and SSI payments based on their inability to engage in substantial gainful activity (SGA) due to a physical or mental condition. Therefore, when the recipients resume work, they must report their work so SSA can evaluate and determine by law whether they continue to meet the disability requirements. SSA uses Form SSA–820–BK to obtain information on self-employment activities of Social Security Title II and XVI disability applicants and recipients. We use the data we obtain to evaluate disability claims, and to help us determine if the claimant meets current disability provisions under Titles II and XVI. Since applicants for disability benefits or payments must prove an inability to perform any kind of SGA generally available in the national economy for which we expect them to qualify based on age, education, and work experience, any work an applicant performed until, or subsequent to, the date the disability allegedly began, affects our disability determination. The respondents are Start Printed Page 62137 applicants and claimants for SSI payments or SSDI benefits.

Type of Request: Revision of an OMB-approved information collection.

3. Social Security's Public Credentialing and Authentication Process—20 CFR 401.45 and 402—0960–0789.

Background

Authentication is the foundation for secure, online transactions. Identity authentication is the process of determining, with confidence, that someone is who he or she claims to be during a remote, automated session. It comprises three distinct factors: something you know; something you have; and something you are. Single-factor authentication uses one of the factors, and multi-factor authentication uses two or more of the factors.

SSA's Public Credentialing and Authentication Process

SSA offers consistent authentication across SSA's secured online services. We allow our users to request and maintain only one User ID, consisting of a self-selected username and password, to access multiple Social Security electronic services. Designed in accordance with the OMB Memorandum M–04–04 and the National Institute of Standards and Technology (NIST) Special Publication 800–63, this process provides the means of authenticating users of our secured electronic services and streamlines access to those services.

SSA's public credentialing and authentication process:

• Issues a single User ID to anyone who wants to do business with the agency and meets the eligibility criteria;
• Partners with an external Identity Services Provider (ISP) to help us verify the identity of our online customers;
• Complies with relevant standards;
• Offers access to some of SSA's workloads online, while providing a high level of confidence in the identity of the person requesting access to these services;
• Offers an in-person process for those who are uncomfortable with or unable to use the internet process;
• Balances security with ease of use; and
• Provides a user-friendly way for the public to conduct extended business with us online instead of visiting local servicing offices or requesting information over the phone. Individuals have real-time access to their Social Security information in a safe and secure web environment.

Public Credentialing and Authentication Process Features

We collect and maintain the users' personally identifiable information (PII) in our Central Repository of Electronic Authentication Data Master File Privacy Act system of records, which we published in the Federal Register (75 FR 79065). The PII may include the users' name; address; date of birth; Social Security number (SSN); phone number; and other types of identity information [ e.g., address information of persons from the W–2 and Schedule Self Employed forms we receive electronically for our programmatic purposes as permitted by 26 U.S.C. 6103(l)(1)(A)]. We may also collect knowledge-based authentication data, which is information users establish with us or that we already maintain in our existing Privacy Act systems of records.

We retain the data necessary to administer and maintain our e-Authentication infrastructure. This includes management and profile information, such as blocked accounts; failed access data; effective date of passwords; and other data allowing us to evaluate the system's effectiveness. The data we maintain also may include archived transaction data and historical data.

We use the information from this collection to identity proof and authenticate our users online, and to allow them access to their personal information from our records. We also use this information to provide second factor authentication. We are committed to expanding and improving this process so we can grant access to additional online services in the future.

Offering online services is not only an important part of meeting SSA's goals, but is vital to good public service. In increasing numbers, the public expects to conduct complex business over the internet. Ensuring SSA's online services are both secure and user-friendly is a high priority.

We awarded a competitively bid contract to an ISP, Equifax,^[1] to help us verify the identity of our online customers. We use this ISP, in addition to our other authentication methods, to help us prove, or verify, the identity of our customers when they are completing online or electronic transactions with us.

Social Security's Authentication Strategy

We remain committed to enhancing our online services using authentication processes that balance usability and security. We will continue to research and develop new authentication tools while monitoring the emerging threats.

The following are key components of our authentication strategy:

• Enrollment and Identity Verification—Individuals who meet the following eligibility requirements may enroll:

○ Must have a valid email address;

○ Must have a valid Social Security number (SSN);

○ Must have a domestic address of record (includes military addresses); and

○ Must be at least 18 years of age.

We collect identifying data and use SSA and ISP records to verify an Start Printed Page 62138 individual's identity. Individuals have the option of obtaining an enhanced, stronger, User ID by providing certain financial information ( e.g., Medicare wages, self-employed earnings, or the last eight digits of a credit card number) for verification. We also ask individuals to answer out-of-wallet questions so we can further verify their identities. Individuals who are unable to complete the process online can present identification at a field office to obtain a User ID.

• Establishing the User Profile—The individual self-selects a username and password, both of which can be of variable length and alphanumeric. We provide a password strength indicator to help the individual select a strong password. We also ask the individual to choose challenge questions for use in restoring a lost or forgotten username or password.
• Provide a Second Factor—We ask the individual to provide a text message enabled cell phone number or an email address. We consider the cell phone number or email address the second factor of authentication. We send a security code to the individual's selected second factor. We require the individual to confirm its receipt by entering the security code online. Subsequently, each time the individual attempts to sign in to his or her online account, we will also send a message with a one-time security code to the individual's selected second factor. The individual must enter the security code along with his or her username and password. The code is valid for only 10 minutes. If the individual does not enter the code within 10 minutes, the code expires, and the individual must request another code.
• Enhancing the User ID—If individuals opt to enhance or upgrade their User IDs, they must provide certain financial information for verification. We mail a one-time-use upgrade code to the individual's verified residential address. When the individual receives the upgrade code in the mail, he or she can enter this code online to enhance the security of the account. With extra security, we continue to require the individuals to sign in using their username, password, and a one-time security code we send to their second factor email address or cell phone number (whichever the users listed in their account).
• Sign in and Use—Our authentication process provides an individual with a User ID for access to our sensitive online Social Security services. Second factor authentication requires the individual to sign in with a username, password, and a one-time security code sent to the individual's selected second factor. SSA expanded its existing capabilities to require second factor authentication for every online sign in. We also allow for maintenance of the second factor options. An individual who forgets the password can reset it automatically without contacting SSA.

Social Security's Enrollment Process

The enrollment process is a one-time only activity. SSA requires the individuals to agree to the “Terms of Service” detailed on our website before we allow them to begin the enrollment process. The “Terms of Service” inform the individuals what we will and will not do with their personal information, and the privacy and security protections we provide on all data we collect. These terms also detail the consequences of misusing this service.

To verify the individual's identity, we ask the individual to give us minimal personal information, which may include:

• Name;
• SSN;
• Date of birth;
• Address—mailing and residential;
• Telephone number;
• Email address;
• Financial information;
• Cell phone number; and
• Selecting and answering password reset questions.

We send a subset of this information to the ISP, who then generates a series of out-of-wallet questions back to the individual. The individual must answer all or most of the questions correctly before continuing in the process. The exact questions generated are unique to each individual.

This collection of information, or a subset of it, is mandatory for respondents who want to do business with SSA via the internet. We collect this information via the internet, on SSA's public-facing website. We also offer an in-person identification verification process for individuals who cannot, or are not willing, to register online. For this process, the individual must go to a local SSA field office and provide identifying information. We do not ask for financial information with the in-person process.

We only collect the identity verification information one time, when the individual registers for a credential. We ask for the User ID (username and password) every time an individual signs in to our automated services. If individuals opt for the enhanced or upgraded account, they also either receive an email message or a text message on their cell phones (this serves as the second factor for authentication) each time they sign in.

The respondents are individuals who choose to use the internet or Automated Telephone Response System to conduct business with SSA.

Type of Request: Revision of an OMB-approved information collection.

II. SSA submitted the information collection below to OMB for clearance. Your comments regarding this information collection would be most useful if OMB and SSA receive them 30 days from the date of this publication. To be sure we consider your comments, we must receive them no later than October 10, 2023. Individuals can obtain Start Printed Page 62139 copies of this OMB clearance package by writing to the OR.Reports.Clearance@ssa.gov.

1. Authorization for the Social Security Administration to Obtain Wage and Employment Information from Payroll Data Providers—0960–0807. Section 824 of the Bipartisan Budget Act (BBA) of 2015, Public Law 114–74, authorizes SSA to enter into information exchanges with payroll data providers for the purposes of improving program administration and preventing improper payments in the SSDI and SSI programs. SSA uses Form SSA–8240, “Authorization for the Social Security Administration to Obtain Wage and Employment Information from Payroll Data Providers,” to secure the authorization needed from the relevant members of the public to obtain their wage and employment information from payroll data providers. Ultimately, SSA uses this wage and employment information to help determine program eligibility and payment amounts.

The public can complete Form SSA–8240 using the following modalities: a paper form; the internet; and an in-office or telephone interview, during which an SSA employee documents the wage and employment information authorization information on one of SSA's internal systems (the Modernized Claims System (MCS); the SSI Claims System; eWork; or iMain). The individual's authorization will remain effective until one of the following four events occurs:

• SSA makes a final adverse decision on the application for benefits, and the applicant has filed no other claims or appeals under the Title for which SSA obtained the authorization;
• the individual's eligibility for payments ends, and the individual has not filed other claims or appeals under the Title for which SSA obtained the authorization;
• the individual revokes the authorization verbally or in writing; or
• the deeming relationship ends (for SSI purposes only).

SSA requests authorization on an as-needed basis as part of the following processes: (a) SSDI and SSI initial claims; (b) SSI redeterminations; and (c) SSDI Work Continuing Disability Reviews. The respondents are individuals who file for, or are currently receiving, SSDI or SSI payments, and any person whose income and resources SSA counts when determining an individual's SSI eligibility or payment amount.

Type of Request: Revision of an OMB approved information collection.

2. Notice to Electronic Information Exchange Partners to Provide Contractor List—0960–0820. The Federal standards Privacy Act of 1974; E-Government act of 2002; and the National Institute of Standard Special Publications 800–53–4, requires SSA to maintain oversight of the information it provides to Electronic Information Exchange Partners (EIEPs). EIEPs obtain SSA data for the administration of federally funded and state-administered programs. SSA has a responsibility to monitor and protect the personally identifiable information SSA shares with other Federal and State agencies, and private organizations through the Computer Matching and Privacy Protection Act, and the Information Exchange Agreements (IEA). Under the terms of the State Transmission Component IEA, and agency IEA, EIEPs agree to comply with Electronic Information Exchange security requirements and procedures for State and local Agencies exchanging electronic information with SSA. SSA's Technical Systems Security Requirements document provides all agencies using SSA data ensure SSA information is not processed; maintained; transmitted; or stored in; or by means of data communications channel; electronic devices; computers; or computer networks located in geographic or virtual areas not subject to U.S. law. SSA conducts tri-annual compliance reviews of all State and local agencies, and Tribes with whom we have an IEA, to verify appropriate security safeguards remain in place to protect the confidentiality of information SSA supplies. SSA requires any organization with an electronic data exchange agreement, to provide the SSA Regional Office contact a current list of contractors, or agents who have access to SSA data upon request. SSA uses Form SSA–731, Notice to Electronic Information Exchange Partners to Provide Contractor List to collect this. The respondents are Federal agencies; State, local, or tribal agencies; who exchange electronic information with SSA.

Type of Request: Revision to an OMB-approved information collection.

Footnotes