[Federal Register Volume 88, Number 25 (Tuesday, February 7, 2023)]
[Notices]
[Pages 7996-7997]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-02517]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF LABOR

Employment and Training Administration


Federal-State Unemployment Compensation Program: Notice of 
Federal Agency With Adequate Safeguards To Satisfy the Confidentiality 
Requirement of the Social Security Act (SSA)

AGENCY: Employment and Training Administration, Labor.

ACTION: Notice of Federal agency with adequate safeguards.

-----------------------------------------------------------------------

SUMMARY: As further discussed below, the Department of Labor 
(Department) and United States Postal Service (USPS), working with 
states, plan to provide an in-person option for conducting the identity 
verification states perform in administering Unemployment Insurance 
(UI) benefits (the ``Project''). In this notice, the Department 
recognizes that for purposes of conducting in-person identity 
verification in connection with UI benefits, pursuant to a signed 
Interagency Agreement (``IAA'') with the Department, the USPS has in 
place safeguards adequate to satisfy the requirements of section 
303(a)(1), SSA. As a result, including the safeguards and security 
requirements, do not apply to disclosures of confidential unemployment 
compensation (UC) information by state UC agencies to the Department, 
for redisclosure to USPS, for the limited purposes set forth herein.

FOR FURTHER INFORMATION CONTACT: Jim Garner, Administrator, Office of 
Unemployment Insurance, Employment and Training Administration, (202) 
693-3029 (this is not a toll-free number) or 1-877-889-5627 (TTY), or 
by email at [email protected].

SUPPLEMENTARY INFORMATION: The Employment and Training Administration 
(ETA) interprets Federal law requirements pertaining to the Federal-
State UC program. ETA interprets section 303(a)(1) of the Social 
Security Act to require states to maintain the confidentiality of 
certain UC information. The regulations at 20 CFR part 603 implement 
this confidentiality requirement. 20 CFR 603.9 requires States and 
State UC agencies to ensure that recipients of confidential UC 
information have certain safeguards in place before any confidential UC 
information may be disclosed. Section 603.9(d) provides that States are 
not required to apply the requirements of Sec.  603.9, including these 
safeguards and security requirements, to a Federal agency which the 
Department has determined, by notice published in the Federal Register, 
to have in place safeguards adequate to satisfy the confidentiality 
requirement of section 303(a)(1), SSA.
    The authority for USPS to enter into an agreement with the 
Department is 39 U.S.C. 411 and 39 CFR 259.1, which permit USPS to 
furnish nonpersonal services to Executive agencies within the meaning 
of 5 U.S.C. 105. The Department is authorized, under section 2118 of 
the Coronavirus Aid, Relief, and Economic Security (CARES) Act (15 
U.S.C. 9034), to fund and administer projects that detect and prevent 
fraud, promote equitable access, and ensure the timely payment of 
benefits with respect to UC programs. Under these authorities, ETA 
plans to implement the Project as a pilot that will be tested in 
several states. Based on the pilot's results, the in-person identity 
verification may be expanded to other states. USPS and the Department 
will implement the Project, in accordance with the terms of the IAA, to 
offer claimants filing an unemployment claim in a participating state 
the option to verify their identity in-person at specified USPS 
locations, which requires the sharing of confidential UC information 
among the participating state UC agencies, the Department, and USPS.
    During the pilot, the initial disclosure of confidential UC 
information will be from the state UC agency to the Department, as 
permitted by the public official exception at 20 CFR 603.5(e). The 
Department will then redisclose the information to USPS. Prior to any 
disclosures taking place for the Project, a signed IAA will be in place 
between the Department and USPS, and an agreement meeting the 
requirements of 20 CFR 603.10 will be in place between the Department 
and each participating state UC agency.
    The Department has determined that for the limited purposes of the 
Project, the methods and procedures employed by USPS for the protection 
of confidential UC information received from the Department, or states 
participating in the Project who have disclosed confidential UC 
information to the Department, meet the requirements of section 
303(a)(1), SSA. USPS operates information technology and database 
systems (collectively, the IT systems) that USPS regularly reviews for 
compliance and security through the USPS Accreditation & Authorization 
(A&A) process. The USPS A&A process aligns with the requirements 
contained in the Federal Information Security Management Act of 2002 
(FISMA), as amended by the Federal Information Security Modernization 
Act of 2014. In addition, the USPS A&A process aligns with the 
International Organization for Standardization (ISO) 27001:2013 and 
27002:2013 and National Institute of Standards and Technology (NIST) 
Risk Management Framework (RMF) guidance, including NIST SP 800-37, 
Risk Management Framework for Information Systems and Organizations, 
which provides detailed guidance for the IT systems authorization 
process. USPS data security controls are a combination of USPS specific 
controls, ISO 27001, and NIST SP 800-53 Security and Privacy Controls 
for Information Systems and Organizations controls. All USPS controls 
map

[[Page 7997]]

directly to SP 800-53 rev5 controls. Confidential UC information 
received by USPS in connection with the Project will be stored in an 
on-premises USPS system of records that is within the USPS secure 
network infrastructure. See Identity and Document Verification 
Services, USPS 910.000. Access to the confidential UC information USPS 
receives during the Project will be strictly controlled and monitored 
by both physical and electronic means, limited to authorized USPS 
staff, and not available to any third party. USPS will not utilize any 
subcontractors or third parties to participate in the Project. USPS 
staff who work on the Project undergo required privacy and information 
security training established for USPS employees. No images of 
documents or credentials that claimants present to USPS during the 
identity verification process will be captured or stored by USPS. Any 
confidential UC information that is stored electronically in connection 
with the Project is expunged from the USPS IT systems when the purpose 
for the disclosure is finished, as per the IAA and Project 
specifications. In addition, USPS maintains IT systems sufficient to 
allow for audits and inspections as set forth in the IAA.
    With this notice, the Department recognizes that USPS has in place 
safeguards adequate to satisfy the requirements of section 303(a)(1), 
SSA, for purposes of the confidential UC information received in 
connection with the Project. Thus, pursuant to 20 CFR 603.9(d), the 
requirements of 20 CFR 603.9 do not apply to disclosures of 
confidential UC information to USPS for purposes of the Project. This 
notice is published to inform the public of the Department's 
determination with respect to this agency.

Brent Parton,
Acting Assistant Secretary for Employment and Training.
[FR Doc. 2023-02517 Filed 2-6-23; 8:45 am]
BILLING CODE 4510-FW-P