ML20282A715

From kanterella
Jump to navigation Jump to search
FY2020 SSN Eliminated and Progress Report Revised for 2020
ML20282A715
Person / Time
Issue date: 10/26/2020
From:
NRC/OCIO
To:
References
SRM-EDO011121-1
Download: ML20282A715 (13)
v  d  e


Text

U.S. NUCLEAR REGULATORY COMMISSION PLAN TO ELIMINATE THE UNNECESSARY COLLECTION AND USE OF SOCIAL SECURITY NUMBERS INTRODUCTION In response to the Office of Management and Budget (OMB) May 22, 2007, memorandum (M-07-16), Safeguarding Against and Responding to the Breach of Personally Identifiable Information, the U.S. Nuclear Regulatory Commission (NRC) has established a plan in which the agency will eliminate the unnecessary collection and use of the Social Security number (SSN) by November 22, 2008, in compliance with OMBs eighteen month time frame.

The NRCs mission is to license and regulate the Nation's civilian use of byproduct, source, and special nuclear materials to ensure adequate protection of public health and safety, promote the common defense and security, and protect the environment. The NRC is not an agency whose primary purpose is to collect and maintain information about individuals. Of the personally identifiable information (PII) that NRC does collect and use, a significant majority relates to its personnel (employees and contractors).

The NRC has initiated improvements related to the protection of PII. These improvements are based on the NRCs Office of the Inspector General (OIG) June 30, 2006, Audit (OIG-06-A-14), Evaluation of Personal Privacy Information Found on NRC Network Drives, OMBs June 23, 2006, memorandum (M-06-16), "Protection of Sensitive Agency Information," and NRC Chairman Dale E. Kleins July 26, 2006, memorandum, "Protection of Personal Privacy Information." The increase in recent reporting of stolen/missing laptop computers containing PII at various Government agencies was an additional incentive for improving the NRCs protection of PII.

In response to the OIG audit, which found PII on agency-shared network drives, the NRCs Office of the Executive Director for Operations directed agency staff to review data generated or stored on the shared network drives for PII. As of April 18, 2007, the searches of the shared network drives were completed and all PII that was identified was either removed from the shared drives or access to the PII was restricted to individuals with a need-to-know.

Agency staff have been instructed not to place PII on shared network drives unless access to this information is restricted to individuals with a need-to-know. NRC has also developed policies and procedures that include periodic (annual) reviews of agency network drives for the presence of PII.

In an effort to identify how PII is used in the NRC and to develop policies and procedures to protect PII, the NRCs Senior Agency Official for Privacy established a task force on September 29, 2006. The objectives of the task force, which consists of representatives from each of the NRC program and support offices at its Headquarters and Regional locations, are to identify current data sources containing PII, review the use of the SSN and other PII to reduce its collection and storage, recommend modifications to business processes and operations to protect PII, and increase staff awareness of PII issues, policies, and procedures.

IDENTIFYING THE COLLECTION AND USE OF THE SSN The NRC has identified the collections and uses of the SSN through multiple actions.

The PII task force began its efforts in October 2006, coordinating with each of the agencys program and support offices, compiling details of the types of PII used throughout the agency, the data sources that contain PII, the forms the agency uses that collect PII, the uses and dissemination of PII, and the methods used to store and safeguard PII. In January 2007, the NRC prepared its response to OMBs December 5, 2006, request for Federal agencies to complete a matrix identifying their processes where the SSN is used and collected. In May 2007, to assist in developing the agency plan to eliminate the unnecessary uses and collection of the SSN, the PII task force began analyzing the information compiled on the agencys PII use and collection to determine how and where specific uses and collections of the SSN could be reduced or eliminated.

ELIMINATING THE UNNECESSARY COLLECTION OF THE SSN The NRC is in the process of reviewing all agency forms in an effort to reduce or eliminate where possible the unnecessary collection of PII. Currently, the NRC maintains 425 forms in its inventory. As of August 3, 2007, the NRC determined that 68 of the 425 forms collect PII. Of the 68 forms that collect PII, 42 have been identified as collecting the SSN.

To address the unnecessary collection of the SSN as required in OMB M-07-16, the NRC began its review of all agency forms by first focusing on the 42 forms that collect the SSN.

Each form is being reviewed in coordination with the owner of the form (sponsoring office) to determine if the collection of PII, including the SSN, is necessary. If the collection of all or part of the PII is determined to be necessary, the requirement to collect the PII, especially the SSN, will be identified along with any process that will be modified to either reduce or visually mask access. Although the collection of the SSN may be considered a required collection, the SSN will be replaced when agencies are instructed to do so, with the Office of Personnel Management (OPM) proposed unique employee identification number (UEID). If the NRC determines that the collection of part or all of the PII is unnecessary, a decision will be made to discontinue the collection or, in the case of the SSN, replace it with another unique identifier.

The NRC plans has completed the review of the 42 forms that collect the SSN, including incorporating all identified revisions, as of November 30, 2007. The NRC completed the review of the remaining 26 forms identified as collecting PII, but did not collect the SSN, as of January 31, 2008. The NRCs forms review process will be an ongoing effort to ensure that all agency forms, current or proposed, that collect not only the SSN, but any PII, are reviewed to prevent, reduce, or eliminate any unnecessary collections.

The majority of NRC forms that collect the SSN are owned by the NRCs Office of Human Resources, Office of the Chief Financial Officer (OCFO), and Office of Administration (ADM) and are used for personnel, payroll/accounting, and security purposes. The NRCs elimination of the SSN or replacement of the SSN on these forms with the proposed OPM UEID or other acceptable unique identifier can only be implemented based on guidance received from the Federal agency requiring the collection (i.e. OPM, Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI), etc). The NRC will convert from the use of the SSN to the use of the OPM UEID consistent with OPM and OMB guidance when such guidance is issued.

2

ELIMINATING THE UNNECESSARY USES OF THE SSN The majority of the NRCs SSN uses are based on requirements placed upon the NRC by other Federal agencies, for example the OPMs requirement to use the SSN as a unique identifier for maintaining official federal personnel records and the IRS requirement to use the SSN as a unique identifier for reporting payroll earnings. Any action to eliminate an externally driven required use will depend on guidance issued to NRC by that external entity. Therefore, NRCs review to eliminate unnecessary SSN uses focuses on internally driven uses.

The NRCs review has identified a use of the SSN that is considered to be unnecessary and will be eliminated. This is the use of the SSN to verify an employees identity for tracking dosimeters used to measure exposure to radiation. The employee identification number will replace the SSN in the ADMs Dosimeter Tracking System for all existing and newly created records. Employees will show their badge to verify their identity when they pick up and return a dosimeter, but the bar code on their badge will no longer be scanned to collect the SSN.

This change required a modification to the Dosimeter Tracking System which was completed by October 30, 2007.

The NRCs review has also identified uses that, although necessary, involve processes that can be modified to reduce access to the SSN. Below are the processes that have been identified where access to PII, including the SSN, is being reduced.

One area the NRC has identified where access to and use of the SSN can be reduced is within an organizations administrative office files. Each program office maintains administrative files on its employees, which include copies of travel, training, personnel, time and attendance, and payroll records for administrative purposes. The Privacy Act systems of records managers will be instructed to provide specific guidance to the custodians of these files by early January 2008, stating exactly what documents they are authorized to maintain copies of and how long the copies should be retained. The system managers will then require confirmation from the custodians by March 31, 2008, that the review of the administrative files for compliance with the recordkeeping requirements has been completed. This recordkeeping guidance will then become part of a system managers annual reminder to custodians of Privacy Act records on the procedures, guidelines, and safeguards applicable to a system of records, and of the responsibilities involved in protecting the records from unauthorized access.

The NRC is also working on a project to identify all of its procurements for acquisition of supplies and services (contract/simplified acquisitions) that receive, process, or maintain PII.

To identify these procurements, the Statement of Work for each active contract/simplified acquisition will be reviewed by the assigned project officer to determine if receiving, processing, or maintaining PII is stated under the terms of the contract/simplified acquisition. The NRC has completed these procurements identified as of November 30, 2007. Once identified, all holdings will be reviewed to determine if the PII being received, processed, or maintained is necessary, and if it is being handled in a manner to ensure security and integrity. This project was completed as of November 22, 2008.

Although still considered to be a necessary use of PII, the NRCs OCFO identified a process to reduce access to the SSN and all PII by limiting its visibility in the agencys Federal Financial System (FFS). The OCFO created, tested, and loaded a new vendor table that 3

masks all PII. Only system users requiring full access to PII as a requirement of their official duties will be authorized to access the unmasked vendor table or any other tables containing PII.

All FFS user access profiles have been reviewed and revised as needed to ensure access to PII is limited to those with a need-to-know. This system update was completed on June 6, 2007.

After performing a review to identify instances where the SSN is used, the NRCs Region IV staff determined that the use of the SSN in the Region IV Travel database was unnecessary and could be eliminated. In order to immediately eliminate use of the SSN and at the same time to minimize changes to the database, the system was modified to record the SSN for each traveler to a common number of 000-00-0000, no longer allowing the SSN to be included in the database. This change was implemented on August 1, 2007.

COMPLETION The elimination of the collections and uses of the SSN that the NRC has determined to be unnecessary has been completed as of November 22, 2008, as required by OMB M-07-16.

Where the collection and use of the SSN is considered to be necessary based on requirements placed upon the NRC by outside sources, the completion of any further actions involving its elimination or replacement will depend on the guidance and schedules issued to all Federal agencies by those sources. No new activities or updates have occurred in FY 2017 or FY2018.

4

Progress Update on Actions Taken to Protect Personally Identifiable Information/Social Security Numbers October 1, 2020

U.S. Nuclear Regulatory Commission Progress Update on Actions Taken to Protect Personally Identifiable Information/Social Security Number The U.S. Nuclear Regulatory Commission (NRC) has completed all actions identified in its Plan to Eliminate the Unnecessary Collection and Use of Social Security Numbers, dated September 19, 2007. To build on the efforts identified in this plan, the NRC continues to develop and issue policy and procedures to protect personally identifiable information (PII),

which includes the Social Security number (SSN), and to eliminate or reduce its unnecessary collection and use. Below are the actions that have been taken by the NRC to protect PII. In addition, NRC has issued an updated policy for electronic processing of all types of sensitive information as Management Directive (MD) 12.5, NRC Cybersecurity Program, dated November 2, 2017.

1. Agency Policy Issued on Safeguarding Personally Identifiable Information The NRC has developed policies and procedures to implement guidance from the Office of Management and Budget (OMB) on safeguarding PII in the possession of the Federal Government. The NRC issued the policies described below to agency staff through the use of all-employee announcements referred to as yellow announcements (YA).

YA 2006-069, Protection of Personally Identifiable Information, dated September 19, 2006, contained the following prohibitions and directions from the NRC Executive Director for Operations (EDO):

  • Prohibits the removal of electronic PII from NRC-controlled space until all PII on mobile computers or devices is encrypted.
  • Prohibits staff from storing PII pertaining to NRC official business on personally owned hard drives, removable media, and other stand-alone storage devices.
  • Prohibits staff from using personally owned computers for processing or storing information pertaining to NRC official business that contains the PII of individuals other than themselves.
  • Prohibits staff from removing paper documents that contain PII of individuals other than themselves from NRC-controlled space unless the PII has been redacted from the documents or an exception has been granted.
  • Restricts remote access to PII on NRC systems by requiring two-factor authentication and enforcing a 30-minute timeout.
  • Prohibits e-mail of PII outside of the NRCs infrastructure, except where necessary to conduct agency business.
  • Requires managers of Privacy Act systems of records to identify existing extracts or outputs that contain PII and determine whether the extracts are necessary; log all computer-readable data extracts from these systems holding PII and verify that each extract, including PII, has been erased within 90 days or that its use is still required. For systems that cannot automatically generate logs of data extracts, manual logs must be maintained.

2

YA 2006-069 has been incorporated into MD 12.5.

YA 2007-096, Guidance for Periodic Review of Agency Network Drives for the Presence of Personally Identifiable Information, dated September 6, 2007, stated that the NRC would review all agency-shared network drives for the purposes of identifying and eliminating PII at least annually. Each search will begin where the previous search finished. The NRC will review only those files placed on the drive after the end date of the previous search or previously existing files that were modified after the end date of the previous search.

YA 2007-106, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated September 19, 2007, issued the agencys PII breach notification policy, which addresses the security of information systems, whether in paper or electronic form, incident reporting and handling, notification outside the agency, and the responsibilities of individuals who are authorized access to PII. This policy was revised to incorporate credit monitoring services, including the quantitative risk analysis formula, and issued to staff through YA 2009-014, dated February 9, 2009.

YA 2008-021 has been incorporated into MD 12.5.

YA 2008-021, Policy Revision: Policy Prohibiting the Use of Peer-to-Peer Software, and Its Impact on Processing Sensitive Unclassified Non-Safeguards Information on NRC Information Technology Systems, Mobile Devices, and Home Computers, dated February 7, 2008, prohibits all employees, including staff and contractors, from installing peer-to-peer software on agency computers without the explicit written approval of an agency Designated Approving Authority. In addition, employees are prohibited from processing sensitive unclassified non-safeguards information (SUNSI) (PII is a sub-set of SUNSI) on home computers unless connected to and working within CITRIX, the NRC broadband remote access system.

Employees are prohibited from downloading or storing SUNSI (including PII) to the hard drive of a home computer when connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on home computers even when a floppy disk, CD, DVD, or thumb drive is the storage media. Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX or (2) an NRC-issued laptop with NRC-approved encryption software.

YA 2008-063, Policy: Information Security and Records Management Requirements When Using Information Sharing and Learning Technologies Such As SharePoint and To move, dated April 17, 2008, stated that the following applies to content on sites using these tools:

  • SUNSI is prohibited unless appropriate access restrictions are applied on a need-to-know basis.
  • PII, which is a subset of SUNSI, is prohibited as stated above, except when the PII is part of a communication on regulatory matters submitted to the NRC by an external entity that is intended for public dissemination (e.g., rulemaking comments or adjudicatory filings).
  • Uses of personal sites, such as, My Site in SharePoint, are restricted to work- and office- related information only. No personal information, including PII, is permitted.

YA 2008-092, Information Technology Implementation Policy - Computer Security Information Protection Policy, dated June 26, 2008, issued revised policy requiring staff to (1) integrate 3

security and privacy requirements into information system investments and (2) fund security and privacy over the lifecycle of each system undergoing development, modernization, or enhancement. Also, staff must ensure that operational systems meet applicable security requirements for security-significant isolated or widespread weaknesses identified by the agency Inspector General, the Government Accountability Office, or during privacy program reviews.

YA 2008-093, Information Technology Implementation Policy - Updated Computer Security Incident Response and Personally Identifiable Information Incident Response, dated July 3, 2008, issued revised policy that provides direction for responding to computer security incidents affecting NRC systems, networks, and users, as well as PII incidents. The revised policy contains timeframes for responding to such incidents, based on the criticality of the affected resources and the incident; formally establishes a Computer Security Incident Response Team (CSIRT) to respond to such incidents; and outlines the CSIRT security incident response process.

YA 2008-092 and YA 2008-093 have been incorporated into MD 12.5.

YA 2008-126, Policy Reminder: Personally Identifiable Information and Employee Identification Number, dated September 9, 2008, stated that the NRC no longer treats the employee identification number (EIN) as PII. This enables use of the EIN instead of the Social Security number (SSN) in the e-Travel System, the iLearn Learning Management System, and other NRC uses.

YA 2008-157, Information Technology Security Policy - Encryption of Data at Rest, dated December 17, 2008, stated that all electronic media containing NRC sensitive information must be encrypted if the media is outside of NRC facilities.

YA 2008-157 has been incorporated into MD 12.5.

YA 2009-014, Commission Approves Credit Monitoring Services for Victims of NRC Personally Identifiable Information Breaches, dated February 9, 2009, stated that NRC will offer credit monitoring services under certain circumstances to individuals whose PII has been unintentionally breached by the NRC.

YA 2009-035, Information Technology Security Policy - Laptop Security Policy, dated April 2, 2009, provides direction for securing laptops.

YA 2009-035 has been incorporated into MD 12.5.

U.S. Nuclear Regulatory Commission Agency-wide Rules of Behavior for Authorized Computer Use, Version 1.3, issued July 1, 2015, are required to be acknowledged by each user as part of the annual computer security awareness training. YA 2015-026, Policy Clarification -

Documents Inadvertently Released to the Public, dated February 13, 2015, to clarify and update the reporting requirements after an inadvertent release of information.

YA-2016-0076, Clarification of the U.S. Nuclear Regulatory Commissions Policy for Protection and Handling Personally Identifiable Information, dated August 5, 2016, to clarify the policy on emergency contact lists, duty rosters, and other low-risk PII. Specifically, this YA clarifies the exceptions available to NRC employees regarding the removal or use of emergency contact lists, duty rosters, and other low-risk PII.

4

2. Reviews Conducted To Identify and Reduce the Unnecessary Collection and Use of PII To identify and eliminate the unnecessary collection, use, and improper storage of PII, including the SSN within the agency, the staff has performed the actions described below.

In response to the NRC Office of the Inspector General (OIG) Audit (OIG-06-A-14), Evaluation of Personal Privacy Information Found on NRC Network Drives, dated June 30, 2006, which found PII on agency-shared network drives, the EDO directed staff to review data generated or stored on the shared network drives for PII. On April 18, 2007, the staff completed the first search of the shared network drives and all identified PII was either removed from the shared drives or access to the PII was restricted to individuals with a need-to-know. The most recent search of the shared network drives was in 2011. Office of the Chief Information Officer (OCIO) is currently looking into alternatives for PII scanning and dispositioning to resume the scanning process.

On September 29, 2006, in an effort to identify how PII is used in the NRC and to develop policies and procedures to protect PII, the NRCs Senior Agency Official for Privacy established the PII task force. The PII task force began its efforts in October 2006, coordinating with each of the agencys program and support offices, compiling details of the types of PII used throughout the agency, the data sources that contain PII, the forms the agency uses that collect PII, the uses and dissemination of PII, and the methods used to store and safeguard PII. In May 2007, the PII task force began analyzing the information compiled to determine how and where specific uses and collections of the SSN could be reduced or eliminated. As a result of this collaboration, the following actions were taken:

  • The Office of Administration (ADM) modified its Dosimeter Tracking System to eliminate the use of the SSN to verify an employees identity for tracking dosimeters. The employee identification number replaced the SSN in this system.
  • The Office of the Chief Human Capital Officer (OCHCO) eliminated the use of the SSN on quality assurance reports and on general distribution versions of the Employee Profile Report.
  • The Office of the Chief Financial Officer (OCFO) developed a new vendor table that masks all PII in its Federal Financial System. This development was carried forward when the agency upgraded its core financial system in Fiscal Year (FY) 2011 to the Financial Accounting and Integrated Management Information System (FAIMIS). For users needing full access to the vendor table (unmasked) and other tables containing PII, it will be necessary to verify that full access is indeed required because of the user's job description.

In addition, the Official Travel Authorization form (NRC Form 279), the Travel Voucher form (NRC Form 64), and the Claim for Reimbursement for Expenditures on Official Business form (Standard Form 1164, local travel voucher), no longer require the employees full SSN. These documents only require the last four digits of the employees SSN. This minimizes the exposure of the travelers SSN as travel documents move through the approval, accounting, and payment process.

To eliminate the unnecessary collection of PII, in August 2007, the staff began a review of agency forms that collect information about individuals. The staff reviewed each form in coordination with the sponsoring office to determine if the collection of PII, especially the SSN, was necessary. If the collection of all or part of the PII was determined to be necessary, the requirement to collect the PII, especially the SSN, was identified along with any processes and procedures that should be modified to either reduce access or visually mask the PII. If the staff 5

determined that the collection of part or all of the PII was unnecessary, a decision was made to discontinue the collection or in the case of the SSN, use another unique identifier. The staff completed this action August 4, 2008. The NRCs forms review process is an ongoing effort to ensure that current and proposed agency forms that collect PII are reviewed to prevent, reduce, or eliminate any unnecessary collections.

On March 26, 2008, the staff received instructions to begin a review of agency administrative office files to eliminate any unnecessary use of and access to PII. For most offices, these are the files that include copies of travel, training, and personnel records generated by the office about its staff. The staff was instructed to (1) reduce the volume of collected and retained information about employees assigned to the office to the minimum necessary; (2) not to collect, use, or retain employees SSN; (3) limit access to these files, as well as the information from these files, to staff with a need-to-know to perform their assigned duties (official business); and (4) secure paper records in locked file cabinets and password protect electronic records, at a minimum, to make information inaccessible to individuals not authorized access. All offices and regions acknowledged completion of this review by September 9, 2008.

The current network data loss prevention system is now configured to identify and alert when unencrypted SSNs and credit card numbers are traversing the network.

On March 25, 2009, the Office of the Chief Information Officer (OCIO) completed the search of the Agencywide Documents Access and Management System (ADAMS) Publicly Available Records System (PARS) for PII and identified 27,983 documents as potentially containing PII.

A review of those documents revealed 128 that actually contained PII. The staff redacted all of those documents and placed them back into PARS.

The staff performs routine reviews of the agencys Privacy Act systems of records (SORs).

These reviews not only ensure that the notices accurately describe the SORs but also provide the opportunity to take a fresh look at the types of records being collected about individuals, to remind staff of the agency requirements to protect the records from unauthorized access, and the opportunity to eliminate any unnecessary (no longer required) collections or uses of PII. This review is conducted every 2 years with the last review completed in November 2016.

3. Staff Awareness To ensure that staff members are familiar with the policies and implementing procedures for the proper protection of PII, routine network announcements and YAs are issued for information and reminder purposes. Other measures to promote staff awareness include the following:
  • NRC mandatory annual awareness courses, which address computer security awareness and information security awareness, have been updated to incorporate guidance on the proper handling and protection of PII.
  • On November 28, 2006, the NRC introduced the PII Project internal Web site to provide the staff with access to OMBs PII guidance, the agencys implementing procedures, and frequently asked questions.
  • The SUNSI handling requirements, which are available on the SUNSI internal Web site, were updated to combine PII with the Privacy Act handling group, providing guidance on access, use outside of the agency, transmission, storage, and destruction. In June of 2013, an announcement was sent to agency staff to provide a link to the SUNSI website and that it is a 6

valuable source for information on current NRC SUNSI policy.

  • OCHCO developed labels to be used on locked containers that transport paper records with SSNs.
  • The OCIO, in coordination with the Office of the General Counsel (OGC) and ADM, developed a contract clause for protecting PII that may be provided, collected, used, possessed, or processed in the course of performing work under an NRC contract.
  • NRCs Personally Identifiable Information Responsibilities Awareness and Acknowledgement of Understanding training was released through YA 2009-116, dated November 16, 2009. The staff developed this training presentation in response to OMB M-07-16, to ensure that all personnel are aware of their responsibilities for protecting PII, understand the consequences for violating these responsibilities, and acknowledge this understanding annually. This training is reviewed annually and updated as needed. NRC announcements are issued annually to remind staff of this mandatory training requirement.
  • The Introduction to Controlled Unclassified Information course was made available to NRC staff April 25, 2011, and the Introduction to Executive Order 13556: Controlled Unclassified Information (CUI) course was made available September 20, 2011. These short courses are not mandatory, but all employees and contractors are encouraged to take them to become familiar with CUI, because the NRC is participating in the Federal-wide initiative to implement the CUI program, which will be phased in over the next few years. These courses provide the basics of the Executive Order as well as what to expect next in the CUI implementation process.
4. Guidance for Submitting Documents to the NRC On March 9, 2007, the staff issued NRC Regulatory Issue Summary (RIS) 2007-04, Personally Identifiable Information Submitted to the U.S. Nuclear Regulatory Commission. This RIS informs addressees that they should clearly identify documents submitted to the NRC as sensitive if they contain any PII in accordance with Title 10, Section 2.390, Public Inspections, Exemptions, Requests for Withholding, of the Code of Federal Regulations (10 CFR 2.390) so that these documents will not be placed in the PARS.
5. Actions Taken to Protect PII Federal Information Processing Standard (FIPS) 140-2 validated and encrypted universal serial bus thumb drives were deployed to staff. This enables authorized staff to securely transport, process, and store electronic PII.

On July 1, 2008, the OCFO started returning processed travel authorizations to all staff in PDF format via e-mail. This paperless delivery better serves all employees, particularly those employees who work away from the Headquarters Complex by eliminating the need for the NRC to fax or mail the paper documents.

The payroll provider for the NRC, the U.S. Department of Interiors National Business Center, has removed or masked the SSN from standard reports and display screens, where appropriate.

The masking of the SSN on the employee copy of the SF-50 was implemented in April 2009.

7

NRC developed and implemented a new contract clause entitled, Contractor Responsibility for Protecting Personally Identifiable Information. Since June 16, 2009, the new clause has been inserted in all solicitations and contracts, purchase orders, orders awarded against another government agencys contract, and interagency agreements where a contract requires contractor access, inadvertent or otherwise, to any form of NRC owned or controlled PII, such as that which may be contained in documents, files, or databases. This clause is used on its own or as a companion clause to Federal Acquisition Regulation (FAR) clauses 52.224-1 and 52.224-2; and 2) other privacy and security safeguards clauses where the contract requires contractor employee access to such information.

Beginning October 1, 2009, the NRCs eTravel authorization process was condensed from three levels of approval to two. The eTravel system routes an employee's travel authorization request to the designated travel approving official within their office and then to the designated travel funds certification official. Once these approvals have been completed, the traveler is notified by e-mail that the authorization is complete.

The NRCs conversion to the Office of Personnel Managements Electronic Personnel Folder (e-OPF) was completed in January 2010. The e-OPF eliminates the need for the NRC to file, copy, fax, or mail a majority of the paper personnel documents.

NRC completed the upgrade of SecureZip to the current supported FIPS 140-2 validated version in November 2010. This upgrade provides further assurance that NRC data that is sent internally or externally, and has been zipped and encrypted with this software, cannot be viewed by anyone for whom it was not intended.

NRC replaced a significant number of standard desktops with mobile desktops (laptops) that employ full disk encryption and have FIPS 140-2 encrypted connectivity to the NRC network via virtual private network so mobile users can securely use laptops at NRC and in remote locations. The mobile desktop distribution started at the end of FY2010. Since the inception of this program, approximately 1275 mobile desktops have been provided to NRC staff.

NRC implemented the Network Access Control System that identifies unauthorized connections to the NRC network and isolates these users on a network where they cannot access any NRC resources; the system still allows them access to the Internet. This was completed June 2011.

NRC completed the addition of enhancements to Webmail that allow remote users to securely review email attachments in June 2011.

NRC uploaded existing EINs from NRCs Time and Labor System (HRMS) to the Department of Interiors Federal Payroll/Personnel System (FPPS) and transitioned the generation of new EINs from HRMS to FPPS. This makes the EIN available for reporting in the FPPS Datamart, eliminating the need to use SSN as an interim step to translate it manually to the EIN. NRC had made an earlier determination that the EIN is not PII, as it has no meaning outside of the NRC environment. By removing SSN from the report process entirely, protection of employee PII is enhanced.

Additional Activities for FY 2014: NRC continued the process of modifying reports in FPPS Datamart to use EINs in place of SSNs to eliminate the unnecessary use of SSNs in all phases of report processing and modified all of the FPPS Datamart queries that are not required to use SSNs; this effort completed in FY 2015.

8

Activities for FY2019: NRC recently drafted a direct final rule and companion proposed rule that will amend the NRCs regulations to minimize the circumstances under which inclusion of an individuals SSN is necessary on a document sent through the mail and clarify how this information is to be protected. This rulemaking is to comply with the Social Security Number Fraud Prevention Act of 2017 (the Act) (Public Law 115-59, enacted September 15, 2017). The draft final rule is currently in the concurrence process. The NRC also updated its annual PII training course to include guidance on protecting information when stored on a shared drive. This training is required to be completed annually by all NRC employees and contractors. The NRC is planning to use Varonis Data advantage software weekly to identify unprotected (open access)

PII on the NRC shared drives. Varonis leverages Oracle Outside-in SDK technology to read various file types including the most popular, such as Adobe Acrobat, Corel Office, Microsoft Office, and text files. The Varonis Data Classification Engine leverages its file activity audit trail to incrementally scan new and modified data without starting from scratch each time, providing a scalable solution that works fast and efficiently.

Activities for FY2020: NRC revised its regulations, effective August 17, 2020, to specify when the inclusion of an individuals Social Security account number (SSN) is necessary, maximize the use of partially redacted SSNs where feasible, and provide a requirement that SSNs not be visible on the outside of any package sent by mail to or from the NRC. This rulemaking fulfills NRCs obligation to comply with the Social Security Number Fraud Prevention Act of 2017.

9

Retrieved from "https://kanterella.com/w/index.php?title=ML20282A715&oldid=3526566"