SSA takes the PKI lead
SSA takes the PKI lead
BY DIPKA BHAMBHANI
| GCN STAFF
The Social Security Administration is pioneering the government's first large-scale public-key infrastructure effort, using the General Services Administration's Access Certificates for Electronic Services contract.
Judith Spencer, head of the Federal PKI Steering Committee at GSA, called Social Security's online wage-reporting project 'the first significant foray' in business-to-government PKI.
Social Security officials have been on 'the leading edge of PKI for quite a while now,' Spencer said. 'They're leading the charge in many ways.'
Before expanding its PKI efforts, the agency surveyed the 100 employers that participated in its online wage-reporting pilot, at www.ssa.gov/employer/pkipilot/main.html
, and found a 90 percent approval rating. The companies have been using the online pilot application to file employee wage reports via Web browser using 128-bit encryption.
Tony Trenkle, deputy associate commissioner for electronic services at Social Security, said the wage-reporting application is only the beginning.
'In the future we'll be looking at piloting with citizens, provided we have the infrastructure in place,' Trenkle said.
Digital Signature Trust Co. of Salt Lake City is the agency's certification authority under the ACES contract. The digital certificates are free through May 31 to pilot participants, who also must obtain employer personal identification numbers and passwords.Links to the past
The PINs and passwords are for those users still uncomfortable with PKI, Spencer said.
Spencer predicted that the use of passwords would dwindle as word spreads about PKI security and the interoperability benefits the certificates offer for sharing data among agencies.
The wage-reporting initiative is only the beginning, SSA's Tony Trenkle says. Ultimately, SSA will establish PKI services
'Comfort level grows with familiarity,' Spencer said, and there is some skepticism about Social Security's ability to keep information private and secure over the Internet.
The agency tried in 1996 to take interactive transactions online. Its first pilot made Personal Earnings and Benefits Statements available to the public via the Web. Social Security ultimately dropped the project in the face of public concerns about fraud and identity theft.
'What they're doing today is allowing organizations to report to them electronically if they want to,' Spencer said. She called it an important step toward eventually conducting all of Social Security's business transactions online.
Chuck Liptz, a financial management analyst at the agency, said fewer diskettes and printed W-2 forms will make life easier for employers as well as Social Security. 'Can you imagine millions of paper W-2s?' he said.
Tim Pinegar, a senior sales engineer for Digital Signature Trust, said the participating employers create wage reports as separate files in any word processor.
Then, they download and install Social Security's AccuWage/AccuW2C software, which reads the word processing files and detects any errors.
It scrutinizes W-2 wage and tax statements and W-2C correction reports to spot errors before transmission. It can identify more than 200 errors, including spelling and math mistakes.
The system next links users to a version of the Online Wage Reporting System that has been PKI-enabled, Pinegar said. 'Then they [must] present a digital certificate.'
For now, Liptz said, Social Security is paying the full $18 fee per digital certificate issued to an employer, plus $1.24 per report.
The agency also is working with Digital Signature Trust on an online employee verification service, which would let employers verify someone's identity by typing in a name and Social Security number online using PKI.
Trenkle said a PKI working group is trying to figure out how to overcome what he considers the rest of the PKI puzzle that Social Security must solve.
Automating W-2 submissions was a priority for Social Security, which receives more than 240 million forms from nearly 6.5 million employers each year, he said. But other high-priority candidates include the issuing of 125 million benefits statements and 16 million Social Security cards a year.
PKI will evolve, Trenkle said, but success depends on three factors: cost, usability and interoperability. The higher cost of certificates versus PINs and passwords is one issue, Trenkle said.