Jan 20, 2019

SSN Tokenization Planned

     From a contracting notice posted by the Social Security Administration:
This is a Request for Information (RFI). This Sources Sought Notice is for informational and planning purposes only and shall not be construed as a solicitation or as an obligation or commitment by the Government. ...

The Social Security Administration (SSA) is considering a tokenization solution for replacing the Social Security Number (SSN) and Beneficiary Notice Control (BNC) on mailed correspondence to beneficiaries. The purpose of this Request for Information is to identify potential vendors capable of providing such a solution. ...
On September 15, 2017, the President signed into law H.R. 624, the Social Security Number Fraud Prevention Act of 2017, which became Public Law (P.L.) No. 115-59.  The law, among other provisions, restricts the inclusion of SSNs on documents the Federal government sends by mail. 
The Beneficiary Notice Control has been used to replace the SSN on some agency notices. The BNC is a 13-digit alphanumeric value that can be related back to the beneficiary’s SSN.
The usage of tokenization is being explored to replace the SSN and BNC on mailed documents.

Product Requirements
  • Must be capable of supporting multiple platforms – web, cloud, and mainframe (CICS and Java/COBOL batch). 
  • Must allow for multiple keys when tokenizing an SSN. The same key cannot be used consistently. The same tokenized value should never repeat (even for the same SSN. 
  • Must allow for key management – where certain users can be prohibited from accessing the key(s).
  • Must be able to control the length of the tokenized value – for printing and mailing the tokenized value can be no more than 13 digits. 
  • The tokenized value must be unique for all time and never repeated. Meaning, the tokenized value printed on the mailed correspondence will be unique for that particular occurrence and will never be repeated again even if the correspondence is being mailed to the same individual or a completely different individual. 
  • Must be capable of processing very high volumes. ...

1 comment:

Anonymous said...

Lot of time and money spent by SSA to avoid using the number they created to run the program they run because it was allowed to be misused as it has been. Talk about unintended consequences.