SSA tests digital certificates
- By Graeme Browning
- Feb 03, 2002
The Social Security Administration has taken another step forward in its effort to make wage reporting easy and electronic for the nation's 6.5 million employers.
In January, SSA began testing a new software application from Digital Signature Trust Co. (DST) that enables employers to electronically sign the wage-reporting forms — W-2s and W-3s — they file with the agency. The pilot project builds on a program tested last year that allows employers to file forms online using a personal identification number and password.
The new application, called SimpleSign, uses digital certificates to bind the employer's identity to the file uploaded to SSA, said Keren Cummins, DST vice president of government services.
The certificates store a user's authentication and authorization information, and any attempt to alter data in a file after it leaves the employer's control automatically triggers an electronic query of whether the certificate is valid. If it isn't, the file will not be accepted, Cummins said.
"This is like a numeric fingerprint," she said. SimpleSign, which DST unveiled Jan. 7, creates "not just a higher measure of authentication for the document employers are sending [to SSA], but also a higher measure of protection for the document."
Even though the PIN and password system provides a high level of security, SSA decided to try digital certificates to reassure employers who are still squeamish about online transactions.
"We're trying to encourage [even] those people to report to us electronically," said Marti Eckert, a computer specialist in SSA's Office of Electronic Services. "This new service allows a data file to be signed prior to sending it to us and allows us when we receive it to verify that nothing happened to the file along the way.... We didn't do that as part of our pilot last year."
The digital certificates that SimpleSign relies on are provided through the General Services Administration's Access Certificates for Electronic Services (ACES) contract, designed to provide public-key infrastructure products and services to agencies doing business with the public. DST holds an ACES contract, as do AT&T and Operational Research Consultants I
SSA also mounted a pilot program in which it will accept the digital certificates issued by Washington state, said Chuck Liptz, SSA management analyst.
The pilot program is designed to investigate the interoperability of the certificates — whether a state or federal government agency can accept security certificates issued by another agency, Liptz said. SSA is accepting the Washington digital certificates during the wage-filing season, which should end around April 1.
"Everyone talks about interoperability, so we wanted to see for ourselves whether it works as easily as the vendors have said it would," Liptz said.
Signing W-2 reports electronically
* An employer clicks a button on the Social Security Administration's Web site to upload wage-reporting data.
* The employer is prompted to choose which digital certificate to use — one from the state of Washington or one issued under the General Services Administration's Access Certificates for Electronic Services contract.
* SSA's server downloads a temporary version of the application, which allows the employer to enter wage reports, attach the digital certificate and upload the package to SSA.
* Once uploaded, the temporary package disables itself and disappears from the employer's screen.