Security Management Access Control System
SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
· Name of project.
Security Management Access Control System
· Unique project identifier.
016-00-SSA/PSS-G-003
· Privacy Impact Assessment Contact.
Director
Office of Protective Security Services
Office of Facilities Management
Social Security Administration
6410 Security Boulevard
Baltimore, MD 21235
· Describe the information to be collected, why the information is being collected, the intended use of the information and with whom the information will be shared.
Security Management Access Control System (SMACS) is a Social Security Administration (SSA) certified and accredited General Support System consisting of several sub-systems that automates and helps us implement the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) mandate, facilitates access to SSA buildings and systems, and supports physical security initiatives. We describe several of the sub-systems, including the information we collect, use, and share below:
- Electronic Personal Enrollment Credential System (EPECS) functions as the primary entry point for the enrollment process for SSA employees, contractors, and other agency personnel. We collect information via EPECS to create a credential record. We maintain the data throughout the PIV card lifecycle. We also use EPECS when conducting a background or national security investigation and for identity proofing an applicant.
- Card Management System (CMS) is responsible for managing the issuing of the credential including card production (manufacturing, printing, and shipping) and public key infrastructure (PKI).
Both the EPECS and the CMS systems collect personally identifiable information (PII), shown in the table below, as required by Federal Information Processing Standard Publication 201, Form 1-9 (OMB No. 115-0316, Employment Eligibility Verification http://www.uscis.gov/files/form/i-9.pdf), and as is necessary for completing the PIV card registration and issuance process.
We collect and maintain information, which relates to the registering and issuance of PIV cards and only disclose the information to individuals with a “need to know,” i.e., individuals who would require the information to perform their official duties; to the subject of the record; and to other persons pursuant to an applicable routine use provision as authorized by the Privacy Act of 1974, or as otherwise permitted by Federal law. For example, under a routine use, the agency may disclose information to contractors, as necessary, to assist us in efficiently administering agency programs.
- Physical Access Control System (PACS) controls access to SSA facilities using an authorized credential and is implemented across many sites using the LENEL Security Access System (LSAS).
We collect the information shown in the table below for individuals with a legitimate need for entry to the secured Automated Data Processing (ADP) areas in the National Computer Center (NCC) and adjacent buildings. LSAS determines that the card PIN entered is correct for the card presented to the card reader and that the individual is authorized access to that area. The system records (or sounds an alarm in designated areas) when there is an unauthorized attempt to enter a protected zone or if anyone attempts to tamper with security sensors.
We use LSAS to safeguard personal and sensitive records about individuals, and to restrict access to SSA's computer facility and other secured areas that house the records. LSAS collects information to verify individuals’ access to a given secured area and to provide a record of those individuals authorized to access various areas of the NCC and adjacent building when they do so. In addition to ensuring the security of the computer facility and secured areas, data in the system is also used for management purposes to ensure and to verify time and attendance when employee fraud or abuse is suspected.
- Security Automated Features and Enhancements (SAFE) is a system consisting of several web-based tools that support physical security requirements. These tools allow us to perform compliance and risk assessments; look-up and print images for property passes; grant physical access to buildings, rooms, or system access levels; and request parking permits and update an individual’s parking record. We list several of the tools below:
We list the information we collect and may share for each of the various sub-systems below:
Table: Data Elements Collected
Data Elements Collected |
SMACS Sub-Systems |
|||
EPECS |
CMS |
PACS |
SAFE |
|
Address |
X |
X |
X |
|
Biometric data (2 fingerprint minutia for writing to the card) |
X |
X |
||
Biometric data – Fingerprints (10 Print Electronic Fingerprint Transmission file) |
X |
|||
Date of Birth |
X |
X |
||
Digital photograph (facial image) |
X |
X |
||
Distinguished Name (legal name) used for PKI certificates |
X |
X |
||
Email Address |
X |
X |
X |
|
Employee Affiliation (e.g., Government vs. Contractor) |
X |
X |
X |
|
Federal Agency Smart Credential Number (FASC-N) |
X |
X |
X |
|
Name (Last, First, and Middle) |
X |
X |
X |
X |
Internal Organization Affiliation |
X |
X |
||
SSA system account parameters (SSA 6-digit PIN, username, SSA Email Address) |
X |
X |
X |
|
Social Security Number (SSN) |
X |
X |
||
Status of National Agency Check with Inquiries background investigation |
X |
X |
||
Telephone |
X |
X |
X |
· Describe the administrative and technological controls that are in place or that are planned to secure the information being collected.
SMACS security includes technical, management, and operational controls that permit access to information only to persons with an official “need to know.” For example, these systems enforce the use of access codes (personal identification number and password) to enter computer systems that house the data. We maintain electronic files with personal identifiers in secure storage areas. We use audit mechanisms to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
Additionally, we require that users of the SMACS system authenticate to the SSA network using their SSA issued 6-digit PIN and password or their PIV Credential. For EPECS, the user must also hold the necessary Top Secret profiles to be granted access to the system. For the SAFE system, authentication is achieved through Single Sign On (SSO) which verifies that the user holds necessary permissions and is authenticated prior to being presented the SAFE user interface (web portal).
In addition to authentication and access controls, SMACS systems use audit mechanisms to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
The Office of Security and Emergency Preparedness and the Office of Information Security annually provide appropriate security awareness training to all our employees and contractors that includes reminders about the need to protect Personally Identifiable Information (PII) and the criminal penalties that apply to unauthorized access to, or disclosure of, PII. See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with access to databases maintaining PII must annually sign a sanction document that acknowledges their accountability for inappropriately accessing or disclosing such information.
· Describe the impact on individuals’ privacy rights.
The agency holds legal authority to collect this information to administer responsibilities under the Social Security Act. When we collect information from users wishing to conduct business with us through electronic services, we provide them with a Privacy Act Statement to advise them of the agency’s legal authority for requesting the information and explain the possible effects if they choose not to provide the information. Users can then make an informed decision whether or not to provide their personal information.
· Are individuals afforded an opportunity to decline to provide information?
We require individuals to provide us with this information for employment and access to our systems and facilities. When we collect a person’s information, we advise him/her of the purposes for which we will use the information. The individual is further advised that the information may be disclosed without written prior consent only when there is a specific legal authority to do so (e.g., the Privacy Act of 1974).
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
The SMACS System does not require a new Privacy Act system of records (SOR) or an alteration to an existing system of records. We have several established systems that govern the information we collect through this system and the various sub-systems we explain in this PIA. The SORs include: Record of Individuals Authorized Entry to Secured Automated Data Processing Area (60-0210); Personal Identification Number File (60-0214); Parking Management Record System (60-0230); Records of Individuals Authorized Entry into Secured Areas by Digital Lock Systems, Electronic Key Card Systems or Other Electronic Access Devices (60-0270); Visitor Intake Process-Customer Service Record (60-0350); and Identity Management System (60-0361).
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
/s/
Dawn S. Wiggins 9/20/2013
______________________________ ____________
Signature Date
PIA REVIEWED BY THE SENIOR AGENCY PRIVACY OFFICIAL, SSA:
/s/
Gwen Jones Kelley 9/30/2013
______________________________ _____________
Signature Date