Download:
pdf |
pdfOMB No. 0960-0760
______________________________________________________________________________
RACBSVXXFXXX
User Agreement
Between
the Social Security Administration (SSA)
And
Company Name
for
Consent Based Social Security Number
Verification (CBSV)
______________________________________________________________________________
�Table of Contents
Table of Contents .......................................................................................................................... 2
I. Purpose and Definitions ....................................................................................................... 4
A. Purpose ................................................................................................................................. 4
B. Definitions ............................................................................................................................ 4
III. SSN Verification and Use .................................................................................................... 5
IV. Responsibilities ..................................................................................................................... 6
A. Requesting Party Responsibilities........................................................................................ 6
B. SSA Responsibilities .......................................................................................................... 10
V. Consent................................................................................................................................. 10
A. Requesting Party Retains Form SSA-89 in Paper Format ................................................. 11
B. Requesting Party Retains Form SSA-89 Electronically..................................................... 12
VI. Technical and Business Process Requirements .............................................................. 12
A. Technical .............................................................................................................................. 12
VII. Protecting and Reporting the Loss of PII ...................................................................... 13
A. The Requesting Party’s Responsibilities in Safeguarding PII ........................................... 13
B. Reporting Lost, Compromised or Potentially Compromised PII ....................................... 14
VIII. Referrals of Individuals to SSA ..................................................................................... 14
IX. Costs of Service .................................................................................................................. 15
X. Duration of Agreement, Suspension of Services, and Annual Renewal......................... 16
A. Duration and Termination of Agreement ........................................................................... 16
B. Suspension of Services ....................................................................................................... 17
C. Annual Renewal ................................................................................................................. 20
XI. Compliance Reviews .......................................................................................................... 20
A. Mandatory Compliance Review by Independent CPA ...................................................... 20
B. Initiating the Compliance Review ...................................................................................... 20
C. Requesting Party’s Cooperation with the Compliance Review ......................................... 21
D. Responsibilities of the CPA ............................................................................................... 21
E. Responsibilities of SSA ...................................................................................................... 22
XII. Unilateral Amendments ................................................................................................... 22
XIII. Indemnification ............................................................................................................... 22
XIV. Disclaimers....................................................................................................................... 23
XV. Integration ......................................................................................................................... 23
XVI. Resolution Mechanism.................................................................................................... 23
XVII. Persons to Contact ......................................................................................................... 23
A. SSA Contacts ..................................................................................................................... 23
B. Requesting Party Contacts ................................................................................................. 24
2 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�XVIII. Authorizing Signatures and Dates.............................................................................. 25
Attachment A - Form SSA-89 and Form SSA-89 SP............................................................... 26
Attachment B – Form SSA-88 Pre-Approval Form for CBSV............................................... 28
Attachment C - Form SSA-200 CBSV Enrollment Application ............................................. 30
Attachment D - Form SSA-1235 Agreement Covering Reimbursable Services ................... 31
Attachment E - Attestation Statement (COMPANY).............................................................. 32
Attachment F - CBSV Attestation Requirements for CPA and Requesting Party
Compliance Assertions ............................................................................................................... 33
I. Attestation Requirements: ................................................................................................... 33
II. Requesting Party Compliance Assertions: ......................................................................... 34
III. Compliance/Noncompliance Standards ............................................................................ 36
APPENDIX A – External Testing Environment (ETE) – (For Web Service Users Only) ... 41
I. Purpose................................................................................................................................. 42
II. Definitions ............................................................................................................................ 42
III. Technical Specifications and Systems Security & Related Business Process
Requirements............................................................................................................................... 42
A. General Participation Requirements .................................................................................. 43
B. Environment and Platform ................................................................................................. 43
C. Web Service Specific Expertise ......................................................................................... 43
D. Ability to meet SSA’s Schedule......................................................................................... 44
IV. Responsibilities ................................................................................................................... 44
A. Requesting Party’s Responsibilities: .................................................................................. 44
B. Requesting Party Acknowledgements: .............................................................................. 44
C. SSA’s Responsibilities: ...................................................................................................... 45
V. Duration of Agreement and Suspension of Services ........................................................ 45
A. Duration of Agreement ...................................................................................................... 45
B. Suspension of Services ....................................................................................................... 46
VI. Amendments to Agreement............................................................................................... 46
A. Unilateral Amendments ..................................................................................................... 46
VII. Indemnification................................................................................................................. 46
VIII. Disclaimers ...................................................................................................................... 46
IX. Integration .......................................................................................................................... 47
X. Resolution Mechanism........................................................................................................ 47
XI. Persons to Contact ............................................................................................................. 47
XII. Authorizing Signatures and Dates .................................................................................. 47
3 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�I.
Purpose and Definitions
A. Purpose
The purpose of this User Agreement is to establish the conditions, terms, and safeguards
under which the Social Security Administration (SSA or Agency) will provide the
Requesting Party with verification of Social Security Numbers (SSNs).
B. Definitions
Agency – The Social Security Administration (SSA or Agency).
Assertion – The Requesting Party’s claims to the completeness and accuracy of all
transactions.
Attestation – Declaration by the Certified Public Accountant (CPA) that the Assertions of
the Requesting Party are accurate.
Authorized User – An employee of the Requesting Party whom the Requesting Party has
authorized to submit SSN verification requests and has successfully registered to use the
Consent Based Social Security Number Verification (CBSV) system.
BSO – Business Services Online.
Client – SSN holder who authorizes the Requesting Party to verify his/her SSN through SSA
by completing the Form SSA-89, Consent Form (Attachment A). Under SSA disclosure
regulations, the parent or legal guardian of a minor or legal guardian of a legally incompetent
adult may also authorize disclosure for the subject of the record if he/she is acting on the
individual’s behalf and provides proof of the relationship, such as a birth certificate or court
document.
CBSV – Consent Based Social Security Number Verification
CBSV transaction Fee – the per-SSN verification fee. The Requesting Party must make an
advance payment for estimated annual usage. The transaction fee can change at any time.
Compliance Review – The annual audit performed by the SSA-chosen CPA firm.
Consent Form – Form SSA-89 (Authorization for SSA to Release SSN Verification &
Form-SSA 89 SP Authorization for SSA to Release SSN Verification – Spanish –
Attachment A). Any mention hereafter of the Form SSA-89 includes the Form SSA-89 SP.
Initial Enrollment Fee – a one-time, non-refundable payment to the Social Security
Administration to enroll in CBSV. The initial enrollment fee must be paid by check or ACH
using Pay.GOV. The initial enrollment fee is currently $5,000 but it can change at any time.
4 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Personally Identifiable Information (PII) – PII is personally identifiable information, or
any information about an individual maintained by a Requesting Party or Principal,
including: (1) any information that can be used to distinguish or trace an individual‘s
identity, such as name, SSN, date and place of birth, mother‘s maiden name, or biometric
records; and (2) any other information that is linked or linkable to an individual, such as
medical, educational, financial, and employment information.
Principal – Business organization or institution that is the original requesting source for the
SSN verification that enters into a contractual relationship with the Requesting Party to
secure SSN verifications from SSA. The Principal may or may not be the Requesting Party
but is the end-user entity to which the Requesting Party ultimately discloses the SSN
verification result.
Requesting Party – Party signing this User Agreement with SSA, including any and all of
its employees, officers, directors, agents, servants, subsidiaries, personal and legal
representatives, affiliates, successors, assigns, and contractors. The Requesting Party is also
known as the Agent.
Responsible Company Official – The officer or employee of the Requesting Party with
authority to make legally binding commitments on behalf of the Requesting Party.
SSN Verification –The response the agency provides to the Requesting Party after
conducting a verification of the Client’s Fraud Protection Data. With the consent of the
Client, CBSV can verify if the Client’s name, date of birth, and SSN match SSA’s records.
CBSV returns a match verification of “yes” or “no.” If our records show that the Client is
deceased, CBSV returns a death indicator. CBSV does not verify an individual’s identity.
II.
Legal Authority
The legal authority for providing SSN verifications to the Requesting Party or Principal with the
Client’s Written Consent is the Privacy Act (5 U.S.C. § 552a(b)), section 1106 of the Social
Security Act (42 U.S.C. § 1306), and SSA regulation (20 C.F.R. § 401.100).
III.
SSN Verification and Use
SSA will verify SSNs solely for the purposes specified on the individual Form SSA-89 Consent
Forms (Form SSA-89, Authorization for SSA to Release SSN Verification – Attachment A)
associated with the verification request. The Requesting Party must use the verified SSN only
for the purpose(s) specified and authorized by the Client. Exceeding the scope of the consent as
specified in the signed Consent Form violates state and Federal law and subjects the Requesting
Party to civil and criminal liability. SSA recognizes that the Requesting Party may seek
verification of the Client’s SSN on behalf of a Principal pursuant to the terms of the Client’s
Consent Form. In this case, the Requesting Party must ensure that the Principal agrees in writing
to use the verification only for the purpose stated in the Consent Form, and make no further use
or re-disclosure of the verified SSN. The Requesting Party’s relationship with the Principal is
5 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�subject to the contractual obligations as specified in this document. The Requesting Party must
ensure that the Principal complies with those contractual obligations.
The information obtained from records maintained by SSA is protected by Federal statutes and
regulations, including 5 U.S.C. § 552a(i)(3) of the Privacy Act. Under this section, any person
who knowingly and willfully requests or obtains any record concerning an individual from an
agency under false pretenses will be guilty of a misdemeanor and fined not more than $5,000.
SSA’s verification of an SSN does not provide proof or confirmation of identity. CBSV is
designed to provide the Requesting Party with only a “yes” or “no” verification of whether the
SSA’s records verified the SSN. If SSA’s records show that the Client is deceased, CBSV
returns a death indicator. CBSV does not verify employment eligibility, nor does it interface
with the Department of Homeland Security’s (DHS) verification system, and it does not satisfy
DHS’s I-9 requirements.
IV.
Responsibilities
A. Requesting Party Responsibilities
The Requesting Party’s failure to follow these rules may result in suspension from the program
or a disruption of service.
User Agreement & Attestation of RCO
1. The Requesting Party must designate a Responsible Company Official (RCO) to sign the
Attestation Statement (Attachment E) indicating understanding of the Privacy Act
restrictions relating to the use of this service on behalf of the Requesting Party.
2. The Requesting Party must submit the signed and dated Attestation Statement
(Attachment E) to SSA with the signed User Agreement. The RCO will email the
completed forms to SSA.CBSV@ssa.gov.
3. If the RCO signing the original Attestation Statement subsequently leaves the company
or no longer has authority to make legally binding commitments on behalf of the
company, the Requesting Party will designate a new RCO and have the new RCO submit
a new signed Attestation Statement within 30 calendar days of the original RCO no
longer being able to act in that capacity. A company may only have one RCO.
4. Annually, the RCO will complete and sign the Attestation Statement, which advises them
of their obligations to establish effective internal controls for compliance with CBSV
requirements.
5. If the Requesting Party wants the Agency to recognize the Requesting Party’s successor
in interest to this User Agreement, the Requesting Party must submit written notification
to the CBSV Project Manager at least 30 days prior to the change. The Requesting Party
must provide supporting documentation, including the new company name and EIN, if
applicable, with each submission.
6 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�6. This Agreement is not transferable; any successor in interest must complete a Form SSA200 (CBSV Enrollment Application – Attachment C) and sign a new User Agreement
with the Agency.
7. If the Requesting Party wants the Agency to recognize: (a) name change; (b) Employer
Identification Number (EIN) change; or (c) or name change and EIN change, the
Requesting Party must:
i) Provide written notification to SSA.CBSV@ssa.gov to the CBSV Project Manager
within 30 calendar days of change;
ii) Provide supporting documentation with each submission;
iii) Complete a new SSA-200 enrollment form; and
iv) Sign a new User Agreement.
Please Note: Any change resulting in a new agreement may result in a disruption in
service.
Form SSA-88 (Pre-Approval Form for CBSV – Attachment B)
8. The Requesting Party must complete the Form SSA-88 (Pre-Approval Form for CBSV –
Attachment B) with requested information for each Authorized User. The Requesting
Party must use one Form SSA-88 to provide information for multiple Authorized Users.
The Requesting Party may attach a separate document listing additional users if the entire
list of Authorized Users cannot fit on one Form SSA-88.
Please Note: A Requesting Party that utilizes both the web service and online
service must submit a separate Form SSA-88 for each service.
9. The Requesting Party must ensure that the Form SSA-88 (Attachment B) identifies the
total number of the Requesting Party’s Authorized Users.
Please Note: SSA will grant the Authorized User online access unless the Form
SSA-88 indicates that the use is for web services. If online access is granted in error,
the Requesting Party must correct the form and wait for a new activation code before
gaining web service access.
Authorized Users
10. The Requesting Party must notify SSA within 14 business days if any change occurs to
the employment status (including, but not limited to, long-term absence, termination of
employment, or change of duties related to CBSV) of any Authorized User or if the
Requesting Party revokes any Authorized User’s authorization to use CBSV. The RCO
must email such updates to SSA.CBSV@ssa.gov.
Service Channels
11. For a real-time response, the Requesting Party may submit requests for verifications
either (1) online or (2) through a web services platform that conforms to SSA’s data
7 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�configuration as described in the specifications document provided at
https://www.ssa.gov/cbsv/webservice. All requests must specify the name, date of birth,
and SSN of each Client the Requesting Party seeks to verify.
12. SSA may change its method of receiving verification requests and providing verification
results to the Requesting Party at any time. If SSA decides to change its method of
receiving SSN verification requests or providing verification results, the Requesting Party
must bear its own costs incurred to accommodate such changes.
Annual Mandatory Compliance Review
13. A CPA designated by SSA will conduct a compliance review of the Requesting Party at
least annually. The Requesting Party must allow the CPA to come onsite and conduct the
compliance review. SSA factors the cost of the compliance review into the transaction
fee. The CPA’s report will provide an opinion to SSA on the Requesting Party’s
Assertion that it complied with the CBSV User Agreement requirements (see Attachment
F). If SSA does not deem the results of the compliance review satisfactory, SSA reserves
the right to come onsite and perform its own inspection. SSA reserves the right to access
all company books and records associated with the CBSV program at any time.
Fees
14. The Requesting Party must pay the one-time $5,000 initial enrollment fee in advance and
make advance payment of estimated transaction fees for the current fiscal year prior to
submitting any request for verification under this User Agreement. The Requesting Party
must pay in full any remaining balance due for verifications from the previous fiscal year
obligations before it uses CBSV for the following fiscal year. The Requesting Party may
submit a request to SSA to make quarterly installments of advance payments. The
Requesting Party must email the request, along with its agreement number, to
SSA.CBSV@ssa.gov.
Actions and Responsibilities
15. The Requesting Party must ensure that its RCO carries out the following actions and
responsibilities:
a. As part of the registration process for the Online Service, SSA will mail a one-time
activation code to the RCO. SSA mails the activation code to the RCO whose name
appears on Form SSA-88. The RCO must provide the activation code to the
Authorized Users named in the letter in order to complete the registration process and
to activate access to CBSV services. Each Authorized User must login to BSO and
enter the activation code in order to activate online services, and follow the preregistration process described in the CBSV User Guide.
b. As part of the registration process for Web Services, SSA will mail a one-time
activation code to the RCO. The RCO must provide his or another Authorized User’s
information on Form SSA-88. The RCO will be the representative Authorized User
8 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�for the Requesting Party when using the Web Service and must follow the registration
process described in the CBSV User Guide.
c. The RCO, jointly and on behalf of the Requesting Party, must be responsible for all
access requests made through the Requesting Party’s Web Service. The Requesting
Party must maintain an audit trail to track all CBSV activities of each Authorized
User and the RCO must be responsible for the Requesting Party’s compliance with
the requirement to maintain this audit trail.
d. Each Authorized User is responsible for maintaining his or her account and password.
Online passwords expire every 90 days; web service passwords expire after 1
calendar year. SSA does not send out reminders to update passwords.
16. The Requesting Party must ensure that any Principal to whom the Requesting Party
discloses verification results acknowledges and agrees to comply with all of the
requirements, as applicable, under this User Agreement via a contractual relationship the
Requesting Party establishes with the Principal as outlined in Attachment F.
17. The Requesting Party must inform all authorized personnel with access to the verification
results of the confidential nature of the information and the administrative, technical and
physical safeguards required to protect the information from improper disclosure. All
confidential information must be stored in an area that is physically safe from
unauthorized access at all times. Confidential information includes access to the CBSV
service, forms and passwords.
18. The Requesting Party must obtain, at its own expense, the hardware, software, or other
equipment necessary to establish connection to CBSV either through the online service or
the web service.
19. Each Authorized User must certify to SSA that: (i) he or she must submit verification
requests to SSA only when he or she has information, knowledge, or a reasonable belief
that the requests are supported by the requisite Consent Forms; and (ii) he or she is aware
that any verification request submitted to SSA without the requisite Consent Form is
subject to legal penalties and could lead to termination of this User Agreement.
20. The Requesting Party must use the External Testing Environment to test verifications
through the web service channel. SSA does not offer a test environment for the online
service channel.
21. With respect to advertising, the Requesting Party acknowledges the following
a. Section 1140 of the Social Security Act authorizes SSA to impose civil monetary
penalties on any person who uses the words “Social Security” or other programrelated words, acronyms, emblems and symbols in connection with an advertisement,
solicitation or other communication, “in a manner which such person knows or
should know would convey, or in a manner which reasonably could be interpreted or
construed as conveying, the false impression that such item is approved, endorsed, or
authorized by the Social Security Administration . . . .” 42 U.S.C. § 1320b-10(a).
9 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�b. The Requesting Party or any of its Principals is specifically prohibited from using the
words “Social Security” or other CBSV program-related words, acronyms, emblems
and symbols in connection with an advertisement for “identity verification.”
c. The Requesting Party or any of its Principals is specifically prohibited from
advertising that an SSN verification provides or serves as identity verification.
B. SSA Responsibilities
1. SSA will compare the information provided in the Requesting Party’s verification request
with the information in SSA’s Master File of SSN Holders and provide verification
results in an appropriate format and method.
2. SSA will review CBSV verification requests and verification results, conduct audits,
generate reports, and conduct site visits of the Requesting Party as needed to ensure
proper use to deter fraud and misuse. SSA, in its sole discretion, will determine the need
for audits, reports, or site visits upon its review of the Requesting Party’s submissions,
verification results, or CPA audit reports.
3. SSA will send low balance reminders to the Requesting Party.
4. SSA will make every attempt to provide advanced notification of planned outages. These
notices will be posted on the CBSV website and the CBSV staff will send an email to the
Requesting Party contact listed in this agreement.
5. SSA will provide an External Testing Environment for use during web service
development and troubleshooting technical issues. SSA does not offer a testing
environment for online service users.
Please Note: Requesting Parties must not conduct web services or online testing in
the CBSV production environment. Testing in the production environment may
lead to suspension of CBSV services.
6. SSA will make onsite inspections of the Requesting Party’s site, including a systems
review, to ensure that the Requesting Party has taken the required precautions to protect
the Consent Forms and the information contained therein and to assess overall system
security.
7. At any time, SSA may complete unscheduled reviews of Consent Forms by requiring the
Requesting Party to produce a random sample of Consent Forms connected with
verification requests submitted by the Requesting Party.
V.
Consent
A standardized Form SSA-89, Authorization for SSA to Release SSN Verification, is included as
Attachment A to this User Agreement. The Form SSA-89 is an Office of Management and
Budget (OMB) approved form; therefore, the Requesting Party must not alter this form.
10 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Please Note: Facsimile (fax) date/time stamps, barcodes, quick response (QR) codes, and
tracking numbers may be added to the margins of the front of the Form SSA-89. These are
the only acceptable alterations to the Form SSA-89.
The Requesting Party must obtain a signed Form SSA-89 from each Client for whom the SSN
verification is requested before submitting a verification request. If the request is for a minor
child (under age 18), a parent or legal guardian must sign the Form SSA-89. If the request is for
a legally incompetent adult, a legal guardian must sign the Form SSA-89. If the parent or legal
guardian signs the Form SSA-89, the Requesting Party must retain proof of the relationship, e.g.,
a copy of the birth certificate or court documentation proving the relationship. A third party
(e.g., a spouse, an appointed representative, an attorney, a third party with a power of attorney) is
not authorized to execute the Form SSA-89 on the Client’s behalf. Please Note: SSA does not
recognize Power of Attorney for consent purposes.
The original Form SSA-89 must be completed and contain a hand-written “wet” signature, and
must include the date of birth of the Client. The Requesting Party must not accept digital or
electronic signatures.
The Client may change the period during which the consent will be valid. The Client must
annotate and initial this change in the space provided on the Form SSA-89. The Requesting
Party or Principal must not request the SSN verification from SSA prior to receiving physical
possession of a signed Form SSA-89 from the Client. SSA will receive the request for SSN
verification within the period specified on the Form SSA-89 or within 90 days, from the date the
Client signed the Form SSA-89 if the Client did not establish an alternate timeframe on the Form
SSA-89.
The Requesting Party must retain the signed Form SSA-89s for a period of five (5) years from
the date the request signed by the client, either in paper format or electronically. The Requesting
Party must protect the confidentiality of completed Form SSA-89s and the information therein,
as well as the associated verification result. The Requesting Party must also protect the Form
SSA-89s from loss or destruction by taking the measures below. (See Section VI in this User
Agreement for Technical Specifications and System Security and Related Business Process
Requirements and Section VII in this User Agreement for instructions on Protecting and
Reporting the Loss of PII.)
A. Requesting Party Retains Form SSA-89 in Paper Format
If the Requesting Party chooses to retain the Form SSA-89s in paper format, the Requesting
Party must store the Form SSA-89s in a locked, fireproof, and waterproof storage receptacle.
The Requesting Party must restrict access to all confidential information to the minimum
number of employees and officials who need it to perform the process associated with this
User Agreement. The stored data must not be reused. The Requesting Party cannot reuse a
Written Consent to submit another SSN Verification request or for different purposes.
However, the Requesting Party can mark its own records as “verified” or “unverified” for
future reference.
11 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�B. Requesting Party Retains Form SSA-89 Electronically
If the Requesting Party chooses to retain the Form SSA-89 electronically or store them on
removable electronic media (such as CDs), the Requesting Party must: (1) password protect
any electronic files used for storage; (2) restrict access to the files to the RCO and/or his or
her designee; and (3) put in place and follow adequate disaster recovery procedures.
When using either of the electronic storage means, the Requesting Party must destroy via
shredding the original paper Form SSA-89 immediately after converting the paper Form
SSA-89 to electronic media.
VI.
Technical and Business Process Requirements
A. Technical
1. The Requesting Party will not have direct access to SSA’s databases. The Requesting
Party must encrypt verification requests per the instructions provided in the CBSV
Interface Specification document located here:
https://www.ssa.gov/cbsv/webservice.html.
2. All testing must be done using CBSV’s free External Testing Environment (ETE).
3. The Requesting Party must obtain, at its own expense, the hardware, software, or other
equipment necessary to establish connection to CBSV either through the online service or
the web service.
4. The Requesting Party must obtain, at its own expense, Internet service in order to access
the CBSV portion of the online service.
5. The Requesting Party must bear all costs it incurs for site preparation, connection,
operating costs, and any other miscellaneous costs to participate in CBSV.
6. The Requesting Party must provide SSA with a valid e-mail address for
communications. SSA reserves the right to conduct on-site visits to review the
Requesting Party’s documentation and in-house procedures for protection of and security
arrangements for confidential information and adherence to terms of this User Agreement
7. The Requesting Party may use either method of CBSV service delivery (online or web
service); however, due to the unique nature of SSA’s authentication, an Authorized User
may only have one access role – either online or web services.
8. If the Requesting Party chooses to use both online and web service, it must assign two
different Authorized Users.
12 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�9. The Requesting Party is responsible for the one-time initial enrollment fee and annual
advance payments for estimated transactions, regardless of the number of methods of
service it uses.
10. The Requesting Party and its Principals must follow the detailed requirements and
procedures for using and testing CBSV that are set forth in this User Agreement and User
Guide. SSA’s User Guide and sample User Agreement are available online at
https://www.ssa.gov/cbsv. SSA may amend the User Agreement, User Guide, and
Interface Specifications at any time, at its discretion.
11. If the Requesting Party and its Principals access CBSV through the web service platform
client application, the Requesting Party must maintain an automated audit trail record
identifying either the individual User or the system process that initiated a request for
verification results from SSA.
12. Every verification request must be traceable to the individual Authorized User or the
system process that initiated the transaction. At a minimum, individual audit trail records
must contain the data needed to associate each verification request to its initiator and the
relevant business purpose (e.g., the Principal for whom SSA verification results were
requested), and each verification request must be time and date stamped. Each
verification request must be stored in the audit trail record as a separate record, not
overlaid by subsequent verification requests.
13. If the Requesting Party retains in its system any verification results from SSA, or if
certain data elements within the Requesting Party’s system indicate that the information
has been verified by SSA, the Requesting Party must restrict access to the files to the
RCO and/or his or her designee and ensure that its system also captures an audit trail
record, with the same requirements as for the web service platform client application, of
any user who views the SSA-verified information stored within the Requesting Party’s
system.
14. The Requesting Party must process all verification results under the immediate
supervision and control of authorized personnel in a manner that will protect the
confidentiality of the verification results; prevent the unauthorized use of the verification
results; and prevent access to the verification results by unauthorized persons.
VII.
Protecting and Reporting the Loss of PII
A. The Requesting Party’s Responsibilities in Safeguarding PII
1. The Requesting Party must establish, maintain, and follow its own policy and procedures
to protect PII, including policies and procedures for reporting lost or compromised, or
potentially lost or compromised, PII. The Requesting Party must inform its Authorized
Users who handle PII of their individual responsibility to safeguard such information. In
addition, the Requesting Party must, within reason, take appropriate and necessary action
to: (1) educate Authorized Users on the proper procedures designed to protect PII; and
(2) enforce their compliance with the policy and procedures prescribed.
13 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�2. All Requesting Parties, Principals, and Authorized Users must properly safeguard PII
from loss, theft, or inadvertent disclosure. Each Authorized User is responsible for
safeguarding this information at all times, regardless of whether or not the user is at his or
her regular duty station.
B. Reporting Lost, Compromised or Potentially Compromised PII
1. When the Requesting Party, including the Principal it services, or its Authorized User
becomes aware or suspects that PII has been lost, compromised, or potentially
compromised the Requesting Party, in accordance with its incident reporting process,
must provide immediate notification of the incident to the primary SSA contact within 1
hour of the PII loss. If the primary SSA contact is not readily available, the Requesting
Party must immediately notify the SSA alternate, if names of alternates have been
provided. (See Section XVII of the User Agreement for the phone numbers of the
designated primary and alternate SSA contacts.) The Requesting Party must act to ensure
that each Authorized User has been given information as to whom the primary and
alternate SSA contacts are and how to contact them.
2. The Requesting Party must provide the primary SSA contact or the alternate, as
applicable, with updates on the status of the reported PII loss or compromise as they
become available but must not delay the initial report.
3. The Requesting Party must provide complete and accurate information about the details
of the possible PII loss to assist the SSA contact/alternate, including the following
information:
a. Contact information;
b. A description of the loss, compromise, or potential compromise (i.e., nature of
loss/compromise/potential compromise, scope, number of files or records, type of
equipment or media, etc.) including the approximate time and location of the loss;
c. A description of safeguards used, where applicable (e.g., locked briefcase, redacted
personal information, password protection, encryption, etc.);
d. Name of SSA employee contacted;
e. Whether the Requesting Party or the Authorized User has contacted or been contacted
by any external organizations (i.e., other agencies, law enforcement, press, etc.);
f. Whether the Requesting Party or the Authorized User has filed any other reports (i.e.,
Federal Protective Service, local police, and SSA reports); and
g. Any other pertinent information.
4. If the Requesting Party experiences a loss or breach of data, the Requesting Party must
provide appropriate notice to the affected individuals and take any additional remediation
actions.
VIII.
Referrals of Individuals to SSA
14 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�If SSA returns a “no-match” result (See Section 6.0 of the CBSV User Guide) to the Requesting
Party, the Requesting Party must take the following actions before making any referrals to SSA
Field Offices for resolution:
1. The Requesting Party must determine whether the data submitted to SSA matches the
data contained on the Form SSA-89. If it does not match, the Requesting Party must resubmit the corrected data to SSA for verification. The Requesting Party must bear the
cost for the resubmission.
2. If the data on the Form SSA-89 matches the data submitted to SSA, the Requesting Party
must contact the Client to verify the original data provided. If the Client corrects the
original data by completing and signing a new Form SSA-89 with the corrected
information, the Requesting Party must submit the corrected data to SSA for verification.
The Requesting Party must bear the cost for the resubmission.
3. If the Requesting Party cannot resolve the data discrepancy, the Requesting Party must
refer the Client to an SSA Field Office to determine the nature of the problem. If
corrections are required, the Requesting Party must submit the correct data to SSA for
verification. The Requesting Party must bear the cost for the resubmission.
4. Some SSN records will not be verifiable by CBSV services. In those cases, follow the
instructions in the CBSV User Guide. Do not refer unverifiable SSN records to the
CBSV staff. The CBSV staff will not manually validate SSNs for the Requesting Party.
IX.
Costs of Service
The Requesting Party must provide SSA with advance payment for the full annual cost of all
services rendered under this User Agreement.
1. The Requesting Party must deposit with SSA, either by credit card or ACH payment
using Pay.GOV, a one–time, nonrefundable enrollment fee of five thousand dollars
($5,000), which will be applied to SSA’s total CBSV operating costs to reduce the actual
transaction fees charged to all users.
2. The Requesting Party must submit payment for transaction fees using Pay.GOV with a
completed and signed Form SSA-1235 (Agreement Covering Reimbursable Services—
Attachment D). Prior to the start of each new federal fiscal year, the Requesting Party
must submit a new, signed Form SSA-1235, accompanied by the full payment of
transaction fees for estimated requests for that federal fiscal year. The federal fiscal year
begins on October 1 and ends on September 30.
3. SSA will credit the account of the Requesting Party and decrement from the advanced
payment as services are rendered. SSA will provide services only if there are sufficient
funds in the Requesting Party’s account. In cases when estimated costs have changed,
the Requesting Party must remain in active status as long as its account balance is
positive. No interest will accrue to the advance payment.
15 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�4. At least annually, SSA will review its costs related to providing the CBSV services,
recalculate the transaction fee necessary for SSA to recover full costs, and adjust the
transaction fee accordingly. SSA will notify the Requesting Party before any change to
the transaction fee goes into effect.
5. If the recalculation of costs results in an increase or decrease in the transaction fee, the
Requesting Party must sign and submit an amended Form SSA-1235 and may need to
submit additional advance payments to continue receiving CBSV services.
X.
Duration of Agreement, Suspension of Services, and Annual Renewal
A. Duration and Termination of Agreement
This User Agreement is effective upon signature of both parties, including a signed Form SSA1235 and payment in full of all fees due and payable under such Form SSA-1235, and will
remain in effect until terminated or cancelled as follows:
1. The Requesting Party may terminate this User Agreement by sending 30-days advance
written notice to SSA.CBSV@ssa.gov of its intent to terminate this User Agreement and
cancel its participation in the CBSV service. This User Agreement will be terminated
effective 30 calendar days after SSA receives such notice or at a later date specified in the
notice.
2. SSA and the Requesting Party may mutually agree in writing to terminate this User
Agreement, in which case the termination will be effective on the date specified in such
termination agreement;
3. SSA may terminate this User Agreement upon determination, in its sole discretion, that
the Requesting Party has failed to comply with its responsibilities under this User
Agreement. This includes without limitation its obligation to make advance payment, its
requirement to use the Form SSA-89 without modification and in accordance with this
User Agreement, and its responsibilities under Section XI, Compliance Reviews,
including correcting its non-compliance within 30 calendar days of SSA’s notice of such
non-compliance;
4. In the event this User Agreement or the CBSV service is prohibited by any applicable
law or regulation, this User Agreement will be null and void as of the effective date
specified in such law or regulation;
5. SSA may terminate this User Agreement and the CBSV program at its sole discretion. In
case of such cancellation of the CBSV program, SSA will provide all participants in the
CBSV program with advance written notice of SSA’s decision; or
6. If the Requesting Party is dissolved as a corporate entity, this User Agreement is no
longer valid. Any new corporate entity purporting to acquire the Requesting Party’s
interest in this User Agreement must sign a new User Agreement. The rights and
16 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�obligations under this User Agreement cannot be assigned whether through purchase,
acquisition, or corporate reorganization.
The Requesting Party specifically waives any right to judicial review of SSA’s decision to cancel
the provision of CBSV services or terminate this User Agreement.
After the close of the fiscal year in which this User Agreement is terminated, SSA will refund to
the Requesting Party any remaining advance payment of transaction fees. If the User Agreement
is terminated early in the fiscal year, SSA reserves the right to refund the balance of advance
payment prior to the close of the fiscal year. No interest will accrue during this time.
Notwithstanding the foregoing, the one-time enrollment fee is not refundable for any reason.
B. Suspension of Services
Suspension is a temporary action imposed by SSA on a Requesting Party for a designated
period until the Requesting Party meets certain requirements or rectifies certain conditions.
Suspension is immediate upon notice by SSA to the Requesting Party and remains in effect
until lifted by SSA.
Noncompliance with this User Agreement, including Assertions set forth in Attachment F –
CBSV Attestation Requirements & Requesting Party Compliance Assertions of this User
Agreement, is grounds for suspension of CBSV services at the sole discretion of SSA.
Suspension will be effective immediately upon SSA’s notice. The notice will specify the reason
for the suspension, be sent via e-mail to the Requesting Party’s RCO, and remain in effect until
SSA’s further determination.
If the Requesting Party disputes SSA’s decision to suspend its access, the Requesting Party may
elect to write a letter to SSA specifying the reasons for contesting the suspension. Such letters
may be sent via e-mail and must be received by SSA within 30 calendar days from the date that
SSA transmitted the notice of suspension to the RCO. The Requesting Party must send the
dispute to SSA.CBSV@ssa.gov email address.
After reviewing the Requesting Party’s letter, SSA may make the final determination to: 1) lift
the suspension; 2) continue the suspension; or 3) terminate this User Agreement. SSA will
provide the Requesting Party with written notice of its final decision. SSA’s decision is final and
non-reviewable.
The Requesting Party specifically waives any right to judicial review of SSA’s decision to
suspend or terminate this User Agreement.
SSA may suspend the Requesting Party's use of the CBSV system for any of the following
reasons:
1. Non-Payment,
2. Violation of User Agreement Terms, or
3. Temporary Fix for an Active Record.
17 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�The following are the three types of noncompliance and their resulting penalties.
Type
Noncompliance
Penalty
Type I
Type I noncompliance consists of multiple infractions that
Suspension of
significantly place PII at risk or have resulted in
CBSV user
unauthorized disclosure of PII and are systemic in nature
privileges for
and includes, but is not limited to the following examples:
90 days or
termination
• Multiple failures to comply with CBSV User Agreement
requirements determined by SSA to be detrimental to
protection of PII.
• Multiple Type II noncompliance.
• Fraudulent use of CBSV access privileges.
• Other issues considered by SSA to place a significant
quantity of PII at risk.
18 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Type
Type II
Noncompliance
Type II noncompliance consists of an infraction that could
result in an unauthorized verification being submitted to
SSA or a failure to comply with the consent requirements or
a failure to comply with securing data containing PII. A
Type II noncompliance may also be a failure that might
prevent the completion of the Compliance Review. Type II
noncompliance includes, but is not limited to, the following
examples:
• Verification not authorized by the Client including missing,
unsigned, or fraudulent Form SSA-89 (Attachment A).
• Form SSA-89 accepted without date of authorization.
• Multiple verifications authorized by one Form SSA-89.
• Form SSA-89 submission date exceeds 90-day timeframe or
exceeds alternate timeframe or is submitted before date of
authorization.
• Acceptance of electronic/digital signature on Form SSA-89.
• Retention requirements not followed.
• Purpose stated on Form SSA-89 not specific or allowable.
• Significant alteration of Form SSA-89.
• Requesting Party fails to file a new Form SSA-88 within 14
days of the termination of employment of any employee
listed as an Authorized User on the Form SSA-88.
• Agreements between Requesting Party and Principals do not
contain required elements or constraints as outlined in
Attachment F.II.14.
• Form SSA-89s are not stored securely.
• Audit trail requirements have not been met.
• The Attestation Statement was not submitted within 30 days
of the beginning of the federal fiscal year or for new users,
the Attestation Statement was not submitted with the signed
User Agreement; OR the signatory does not have the
authority to financially bind the company or bear
responsibility.
Type III Type III noncompliance consists of failures that are only
minor in nature. Type III noncompliance would not result in
either unauthorized disclosure of PII or unauthorized SSN
verification requests being submitted to SSA. Examples of
Type III noncompliance includes, but is not limited to, the
following examples:
• Illegible Form SSA-89 (fields not specified above).
• Requesting Party address and/or Principal address (if
applicable) are not included on Form SSA-89.
• Requesting Party information incorrect on the SSA-89.
Penalty
Suspension of
CBSV user
privileges for
60 days
Suspension of
CBSV user
privileges for
30 days
19 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Type
•
Noncompliance
Minor alteration of Form SSA-89 wording.
Penalty
C. Annual Renewal
This User Agreement does not authorize SSA to incur obligations through the performance of the
services described herein. Performance of such services is authorized only by execution of Form
SSA-1235 (Agreement Covering Reimbursable Services – Attachment D). Moreover, SSA may
incur obligations by performing services under this User Agreement only on a fiscal year basis.
Accordingly, attached to, and made a part of, this User Agreement, is a Form SSA-1235 that
provides the authorization for SSA to perform services under this User Agreement during the
current fiscal year.
Because SSA’s performance under this User Agreement spans multiple fiscal years, SSA and the
Requesting Party will prepare a new Form SSA-1235 at the beginning of each succeeding fiscal
year during which SSA will incur obligations through the performance of the services described
in this User Agreement. The parties will sign the Form SSA-1235 by September 15 before the
beginning of the Federal fiscal year (October 1st). SSA’s ability to perform work for fiscal years
beyond the current fiscal year is subject to the availability of funds.
SSA will refund to the Requesting Party any excess funds remaining in the Requesting Party’s
account after the close of the federal fiscal year. The remaining balance from one fiscal year
does not carry over to the following fiscal year. The Requesting Party must sign a new Form
SSA-1235 and submit an advance payment prior to the beginning of each fiscal year in a
transaction separate from any refund due from SSA from the previous fiscal year.
The RCO(s) for the Requesting Party must complete an annual Attestation Statement, which
advises them of their obligations to establish effective internal controls for compliance with
CBSV requirements.
XI.
Compliance Reviews
A. Mandatory Compliance Review by Independent CPA
1. The Requesting Party and any of its Principals and subsidiaries using CBSV must submit
to a mandatory annual compliance review.
2. SSA will determine if additional reviews are required. SSA will determine the actual
date of the compliance reviews in consultation with the reviewing CPA.
B. Initiating the Compliance Review
1. An SSA-appointed CPA firm will perform an annual compliance review to determine
whether all authorized transactions are complete and accurate.
20 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�2. The CPA firm will perform the Compliance review in accordance with the standards
established by the American Institute of Certified Public Accountants and contained in
the Generally Accepted Government Audit Standards (GAGAS).
3. SSA will email a notice to the Requesting Party identifying the name of the retained CPA
firm and its designated contact.
4. SSA will provide to the CPA a statistically valid random sample of the Requesting
Party’s verifications identified by name, SSN and date of birth along with the verification
results provided to the Requesting Party.
5. SSA will use the U.S. Government Accountability Office (GAO) President’s Council on
Integrity and Efficiency’s (PCIE) Financial Audit Manual (FAM), Section 460,
Compliance Tests in determining the sample size.
C. Requesting Party’s Cooperation with the Compliance Review
The Requesting Party must:
1. Provide to the reviewing CPA a copy of this signed User Agreement and all applicable
attachments in their entirety; the Requesting Party must maintain its own copies for the
CPA; and
2. Inform all of its Principals of the requirement to produce supporting documentation upon
the CPA’s request for purposes of compliance reviews.
D. Responsibilities of the CPA
In performance of the Compliance review under this User Agreement, the CPA must use the
review Assertions specified in Attachment F, CBSV Attestation Requirements & Requesting
Party Compliance Assertions (Audit).
In addition, the CPA will:
1. Follow standards established by the American Institute of Certified Public Accountants
(AICPA) and contained in GAGAS.
2. Provide a report containing the results of the Compliance review to the designated SSA
contact within 30 calendar days after completing the Compliance review.
3. Provide the Requesting Party with a copy of the report containing the results of the
compliance review within 30 calendar days after the report is provided to SSA, unless
SSA informs the CPA otherwise.
21 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�E. Responsibilities of SSA
If the results of the CPA’s review indicate that the Requesting Party has not complied with any
term or condition of this User Agreement, SSA may:
1. Perform its own onsite inspection, audit, or compliance review,
2. Refer the report to its Office of the Inspector General for appropriate action, including
referral to the Department of Justice for criminal prosecution,
3. Suspend CBSV services,
4. Terminate this User Agreement; and/or,
5. Take any other action SSA deems appropriate.
See Attachment F for a list of compliance and non-compliance Assertions.
XII.
Unilateral Amendments
SSA reserves the unilateral right to amend this User Agreement at any time to implement the
following:
1. Minor administrative changes, such as changes to SSA contact information; or
2. Procedural changes, such as method of transmitting requests and results and limits on the
number of verification requests.
SSA will notify the Requesting Party via email of any unilateral amendments under this section.
If the Requesting Party does not agree to be bound by any such unilateral amendment, the
Requesting Party may terminate this User Agreement with 30 calendar days’ written notice.
XIII.
Indemnification
Notwithstanding any other provision of this User Agreement, the Requesting Party must
indemnify and hold SSA harmless from all claims, actions, causes of action, suits, debts, dues,
controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities
caused by, arising out of, associated with, or resulting directly or indirectly from, any acts or
omissions of the Requesting Party, including but not limited to the disclosure or use of
information by the Requesting Party or its Principal, or any errors in information provided to the
Requesting Party under this User Agreement.
SSA is not responsible for any financial or other loss incurred by the Requesting Party, whether
directly or indirectly, through the use of any data provided pursuant to this User Agreement.
SSA is not responsible for reimbursing the Requesting Party for any costs the Requesting Party
incurs pursuant to this User Agreement.
22 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�XIV.
Disclaimers
SSA is not liable for any damages or loss resulting from errors in information provided to the
Requesting Party under this User Agreement. Furthermore, SSA is not liable for damages or loss
resulting from the destruction of any materials or data provided by the Requesting Party. All
information furnished to the Requesting Party will be subject to the limitations and
qualifications, if any, transmitted with such information. If, because of any such error, loss, or
destruction attributable to SSA, SSA will re-perform the services under this User Agreement, the
additional cost thereof will be treated as a part of the full costs incurred in compiling and
providing the information and the Requesting Party must pay these costs.
SSA’s performance of services under this User Agreement is authorized only to the extent that
they are consistent with performance of the official duties and obligations of SSA. If for any
reason SSA delays or fails to provide the services, or discontinues all or any part of the services,
SSA is not liable for any damages or loss resulting from such delay, failure, or discontinuance.
Nothing in this User Agreement is intended to make any person or entity who is not a signatory to
this User Agreement a third-party beneficiary of any right created by this User Agreement or by
operation of law.
XV.
Integration
This User Agreement and the accompanying Form SSA-1235 constitute the entire agreement of
the parties with respect to its subject matter. There have been no representations, warranties or
promises made outside of this User Agreement. This User Agreement must take precedence
over any other documents that may be in conflict with it.
XVI.
Resolution Mechanism
In the event of a disagreement between the parties to this User Agreement, the parties will meet
and confer to attempt to negotiate a resolution. If the parties cannot agree on a resolution, the
parties will submit the dispute in writing to the Deputy Commissioner, Office of Budget, Finance
and Management, of SSA, who will render a final determination binding on both parties.
XVII.
Persons to Contact
A. SSA Contacts
1. CBSV Project Team
Email: SSA.CBSV@ssa.gov
Call: 866-395-8801
2. Billing and Payment Issues
Physical address via U.S. Postal Service or overnight carrier
ATTN CBSV Mailstop 2-O-2 ELR DRAC IABT
Social Security Administration
23 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�6401 Security Blvd
Baltimore, MD 21235
410-597-1673
Email: OF.DRAC.CBSV@SSA.GOV
3. PO Box Address
ATTN CBSV
Social Security Administration
PO Box 17042
Baltimore, MD 21235
Please Note: Advance payment (by credit card or ACH payment via Pay.GOV) is required.
4. Reporting Lost, Compromised or Potentially Compromised PII
Office of Income Security Programs
Project Manager: Christopher David 410-966-4320
Alternate Contact: Antoinette T Ford 410-966-4422
CBSV Technical & Web Services Support
Web.Service.Testing@ssa.gov
B. Requesting Party Contacts
Reminder: Report changes to SSA within 30 calendar days.
Company Name:
_________________________________________
Responsible Company Official:_________________________________________
Title:
_________________________________________
Address:
__________________________________________
__________________________________________
__________________________________________
Telephone:
__________________________________________
Fax:
__________________________________________
Email:
__________________________________________
24 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�XVIII.
Authorizing Signatures and Dates
The signatories below warrant and represent that they have the competent authority on behalf of
their respective entities to enter into the obligations set forth in this User Agreement.
For Social Security Administration:
________________________________________ Date __________
(Signature)
Printed Name: Susan Wischke
Head of Income Security Policy
For Requesting Party:
_________________________________________ Date ___________
(Signature)
Printed Name: ______________________________
Title: _____________________________________
Company Name: ____________________________
25 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Attachment A - Form SSA-89 and Form SSA-89 SP
26 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�27 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Attachment B – Form SSA-88 Pre-Approval Form for CBSV
28 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�29 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Attachment C - Form SSA-200 CBSV Enrollment Application
30 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Attachment D - Form SSA-1235 Agreement Covering Reimbursable Services
31 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Attachment E - Attestation Statement (COMPANY)
ATTESTATION STATEMENT FOR
USING THE SSN VERIFICATION PROCESS
(Signature required annually)
Name and address of company requesting services:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
The Requesting Party understands that the Social Security Administration (SSA) will verify
Social Security Numbers (SSN) solely to ensure that the records of my Clients or my Principal’s
Clients are correct for the purpose(s) indicated on the Form SSA-89 (Authorization for SSA to
Release SSN Verification – Attachment A), obtained from the Clients.
The information received from records maintained by SSA is protected by Federal statutes and
regulations, including 5 U.S.C. § 552a(i)(3) of the Privacy Act. Under this section, any person
who knowingly and willfully requests or obtains any record concerning an individual from an
agency under false pretenses must be guilty of a misdemeanor and fined not more than $5,000.
The Requesting Party must inform all authorized personnel with access to confidential
information of the confidential nature of the information and the administrative, technical and
physical safeguards required to protect the information from improper disclosure. All
confidential information must at all times be stored in an area that is physically safe from
unauthorized access.
The Requesting Party must restrict access to all confidential information to the minimum number
of employees and officials who need it to perform the process.
[Please clearly print or type your Responsible Company Official's name, title, and phone
number and have him/her sign and date below.]
Name_________________________________________________________________
Title__________________________________________________________________
Phone Number__________________________________________________________
Signature__________________________________________Date_________________
�Attachment F - CBSV Attestation Requirements for CPA and Requesting Party
Compliance Assertions
I. Attestation Requirements:
1. The Compliance review must be performed in accordance with standards applicable to
attestation engagements contained in Generally Accepted Government Auditing
Standards (GAGAS) issued by the Comptroller General of the United States. These
standards also incorporate by reference attestation standards established by the American
Institute of Certified Public Accountants. The period of the compliance review will be the
Federal fiscal year. These standards incorporate independence requirements that the
Certified Public Accountant (CPA) must meet in order to perform the compliance review.
2. The CPA must agree in its letter of engagement with the Requesting Party to make its
compliance review work papers available for review by SSA or its designee.
3. Any questions regarding the compliance review as well as the final report on this
engagement must be directed to:
Office of Data Exchange, Policy Publications, and International Negotiations
Social Security Administration
4700 Annex Building
6401 Security Blvd
Baltimore MD 21235-6401
Name, Email and Telephone: (will be provided when agreement is signed)
4. The Requesting Party must provide a copy of its current CBSV User Agreement in its
entirety to the reviewing CPA engaged to perform the compliance review.
5. SSA will provide to the CPA a random sample of verifications submitted by the
Requesting Party identified by name, Social Security number and date of birth along with
the verification results provided to the Requesting Party.
6. The CPA must send confirmation requests either by mail or e-mail to Social Security
number holders for the random sample of verifications to provide information about the
validity of submitted requests. The CPA must follow up confirmation non-replies in
writing, via mail or by phone. The CPA must provide results of the confirmation process
in a schedule to the compliance report submitted to SSA. The CPA must include all
instances of confirmations indicating that a verification was not authorized in an
addendum to the compliance report. The confirmation process including follow up of
non-replies is a required procedure.
7. Terms that have a special meaning are defined in Section I.C of the CBSV User
Agreement.
33 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�II. Requesting Party Compliance Assertions:
1. A signed Form SSA-89 (Attachment A) was used to obtain consent for all verification
requests submitted to SSA.
2. The signed Form SSA-89 used to obtain consent for Social Security Number (SSN)
verification contains wet “pen and ink” signatures of the identified individuals.
3. The signed Form SSA-89 used to obtain consent contains all wording as prescribed in
Attachment A of the CBSV User Agreement and no additional wording has been added.
4. The signed Form SSA-89 used to obtain consent was completed in its entirety, without
alterations, including name, date of birth, social security number, stated reason,
Principal’s name and complete address, Agent’s (Requesting Party) name and complete
address, signature and date signed for the Client (social security number holder). The
Form SSA-89 must also include the relationship if the individual signing the form is not
the individual to whom the SSN was issued (for minors or legally incompetent adults).
5. The Agent (Requesting Party) identified on all Form SSA-89s accepted by the company
is a listed party (d/b/a) in the company’s CBSV User Agreement.
6. Regarding the purpose stated on the Form SSA-89:
a. The SSN verification was used only for the purpose stated on the consent form, and
b. The consent form identifies a specific purpose (e.g., “mortgage application” or
“verification for employment”) and is not a general purpose (e.g., “identity
verification” or “identity proof or confirmation”).
7. The date SSN verifications were submitted to SSA was after the date the Form SSA-89s
were signed and dated.
8. The submission date for the SSN verification was not more than 90 days after the Form
SSA-89 was signed and dated unless the authorizing individual specified an alternate
timeframe. If an alternate timeframe was specified, the submission date was within the
alternate timeframe.
9. The company retains all consent forms for five (5) years from the date the SSN
verification was submitted to SSA.
10. For Requesting Parties that are not Principals, the company has:
a. Correctly relayed to the Principal (client) the information regarding the SSN
verification received from SSA.
11. The Requesting Party’s record retention policy has the following elements, if applicable:
a. Paper Form SSA-89s are stored in a locked fireproof and waterproof container and
access is limited to Authorized Users.
b. Electronic - The consent forms retained electronically are password protected,
encrypted, and only authorized personnel identified on the Form SSA-88 (Attachment
B) have access to these files. Passwords issued to personnel who no longer work for
the company or no longer work in the capacity to have access to the files are voided.
Paper consent forms converted to electronic media are destroyed. Disaster recovery
procedures are in place and are being followed.
34 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�c. Removable Electronic Media (e.g. CD, DVD, flash drive) - All data has been
encrypted and all removable electronic media is stored in a locked, fireproof, and
waterproof storage receptacle. Only Authorized Users have access to this media.
Paper consent forms have been properly destroyed after being stored electronically.
12. The Attestation Statement (Attachment E) is current. The Requesting Party submitted the
attestation statement to SSA within 30 days of the beginning of the fiscal year (October 1
to September 30). For new companies, the Requesting Party submitted the Attestation
Statement with the signed User Agreement. The signer’s authority includes the right to
financially bind the company and bear responsibility for CBSV.
13. Form SSA-88 (Attachment B) is current. The Requesting Party filed a new Form SSA88 with SSA within 14 days of a relevant personnel change (such as removing any
employee previously listed on the SSA-88 as an Authorized User, or adding a new
employee that requires access to CBSV). All employees identified on the Form SSA-88
are still employed by the company, are performing CBSV duties, and are associated with
the correct CBSV service channel (e.g. Online Service or Web Service).
14. For Requesting Parties that are not Principals, the agreements between the company and
its Principals (clients) include the following acknowledgements:
a. The Principal agrees that it must use the verification only for the purpose stated in the
Consent Form, and must make no further use or re-disclosure of the verification; and
b. The agreements acknowledge that Section 1140 of the Social Security Act authorizes
SSA to impose civil monetary penalties on any person who uses the words "Social
Security" or other program-related words, acronyms, emblems and symbols in
connection with an advertisement, solicitation or other communication, "in a manner
which such person knows or should know would convey, or in a manner which
reasonably could be interpreted or construed as conveying, the false impression that
such item is approved, endorsed, or authorized by the Social Security
Administration..." 42 U.S.C. § 1320b-10(a); and
c. The agreements acknowledge that the company and its Principals are specifically
prohibited from using the words "Social Security" or other program-related words,
acronyms, emblems and symbols in connection with an advertisement for “identity
verification”; and
d. The agreements further acknowledge that the company and its Principals are
specifically prohibited from advertising that SSN verification provides or serves as
identity verification; and
e. The agreements acknowledge that SSA has the right of access to all company books
and records associated with the CBSV program at any time; and
f. The Principal agrees to receipt the completed Form SSA-89 (Attachment A) prior to
submitting verifications; and
g. The Principal agrees to follow the same requirements for safeguarding and reporting
the loss of PII as outlined in Section V (B) of the User Agreement.
35 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�15. The Requesting Party’s audit trail and activity logs can track the activity of Authorized
Users who request information or view SSA-supplied information within the Requesting
Party’s system, including viewing Form SSA-89s stored electronically.
III. Compliance/Noncompliance Standards
The following are the compliance and noncompliance standards for use in required CBSV
compliance reviews.
Compliance
Compliance
Noncompliance
Assertion
1
Signed Form SSA-89 (Attachment
Type II: Signed Form SSA-89 was
A) provided.
not provided to auditor.
2
Written (pen and ink) and original
Type II: Signature on the Form
signature on the Form SSA-89.
SSA-89 is printed electronically.
The number holder confirms that
Form SSA-89 does not represent
his/her authorization of verification.
3
Form SSA-89 approved by OMB is
Type II: Form SSA-89 is altered
not altered in any way and includes
from Attachment A of the CBSV
the Privacy Act and Paperwork
User Agreement by either added
Reduction Act.
wording or deleted wording, and/or
does not include the Privacy Act and
Paperwork Reduction Act.
4
Form SSA-89 includes name, date of Type II: Form SSA-89 is missing
birth, social security number, stated
any of following: name, date of birth,
purpose, Principal’s name and
social security number, stated
complete address, agent (Requesting purpose, Principal’s name,
Party) name and complete address,
Principal’s complete address, agent’s
signature and date signed for the
(Requesting Party) name, agent’s
authorizing individual. Form SSA- complete address, signature and date
89 must include the signer’s
signed, relationship (if required).
relationship if he or she is not the
individual to whom the SSN was
issued.
36 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Compliance
Assertion
4a
5
6
7
Compliance
Noncompliance
The Form SSA-89 contains the
signature of a parent or legal
guardian if the request is for a minor
child (under age 18), or of a legal
guardian if the request is for a legally
incompetent adult. The parent or
legal guardian signed the consent
and the Company retained proof of
the relationship, (e.g. a copy of the
birth certificate or court
documentation proving the
relationship). The relationship field
must be completed. SSA does not
recognize Power of Attorney for
CBSV purposes.
Form SSA-89 does not contain the
signature of a parent or legal
guardian and the request is for a
minor child (under age 18), or it does
not contain the signature of a legal
guardian and the request is for a
legally incompetent adult. The
parent or legal guardian signed the
consent and the Company did not
retain proof of the relationship (e.g. a
copy of the birth certificate or court
documentation proving the
relationship). The relationship field
is not completed.
The Agent (Requesting Party)
identified on all Form SSA-89s
accepted by the company is a listed
party (or d/b/a) in the company’s
CBSV User Agreement.
The purpose stated on the Form
SSA-89 is consistent with the
business of the Principal and is
specific. Examples of a specific
purpose include mortgage loan
application, verification for
employment, credit card application,
or seeking credit with lender.
The date the SSN verification
request was submitted to SSA was
on or after the signature date on
Form SSA-89. When the date and
time the manually signed Form SSA89 was received by the Requesting
Party is available, the determination
of compliance should consider time
as well as date.
Type II: The Agent (Requesting
Party) identified on all Form SSA89s accepted by the company does
not match the name (or d/b/a) in the
company’s CBSV User Agreement.
Type II: Purpose stated on the Form
SSA-89 is not specific. Examples of
non-specific purpose include verify
identity, confirmation, proof identity,
and application. Type III: The
purpose stated on the Form SSA-89
is not consistent with the business of
the Principal.
Type II: The submission date for the
SSN verification was before the
signature date on Form SSA-89.
37 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Compliance
Assertion
8
9
10
11
Compliance
Noncompliance
The date the SSN verification
request was submitted to SSA was
within 90 days of the signature date
on the Form SSA-89 or was within
the alternate timeframe if specified
by authorizing individual and
submission date was within alternate
timeframe.
Form SSA-89s are available either in
paper or electronic format from
Requesting Party’s records five (5)
years from verification date of the
SSN.
Type II: The submission date was
more than 90 days after the signature
date or was after the specified
alternate timeframe specified by the
authorizing individual.
Type II: Requesting Party cannot
provide Form SSA-89, which
authorizes a specific verification,
five (5) years from verification date
of the SSN. Form SSA-89s that are
obtained from the Principal for
purposes of establishing compliance
with this requirement are indicative
of non-compliance with this
requirement.
The Requesting Party correctly
Type II: The Requesting Party did
informed the Principal of the results not correctly inform the Principal of
of SSN verification. The results were the results of SSN verification. The
not altered in any way.
Requesting Party altered the results
prior to sending them to the
Principal.
The Form SSA-89s retained
Type II: The Form SSA-89s retained
electronically are password
electronically are not password
protected, encrypted, and only
protected, not encrypted, or are
accessible by personnel identified on accessible by unauthorized
Form SSA-88. Passwords are
personnel. Passwords are not
deactivated when employees
deactivated when employees
separate from the company. If stored separate from the company. If stored
electronically, paper Form SSA-89s
electronically, paper Form SSA-89s
are destroyed. Disaster recovery
are not destroyed. Disaster recovery
procedures are in place and being
procedures are not in place or not
followed. Removable electronic
being followed. Removable
media and or paper forms are
electronic media is not safeguarded
safeguarded in a locked, fireproof
in a locked, fireproof and waterproof
and waterproof storage receptacle
storage receptacle or unauthorized
and only authorized personnel have
personnel have access.
access.
38 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Compliance
Assertion
12
13
14
Compliance
Noncompliance
The Attestation Statement was
submitted to SSA within 30 days of
the beginning of the federal fiscal
year (October 1 to September 30) or
for new users, the Attestation
Statement was submitted with the
signed User Agreement; AND the
signatory has authority to financially
bind the company and bear
responsibility.
During the timeframe under review,
the Form SSA-88 was current. The
most recent SSA-88 filed with SSA
included all Authorized Users for the
appropriate service channel (Web
Service or Online Service). All
Authorized Users listed on the Form
SSA-88 were employees of the
Requesting Party. All Authorized
Users listed on the Form SSA-88
were still performing duties relating
to the CBSV system.
Type II: The Attestation Statement
was not submitted within 30 days of
the beginning of the federal fiscal
year or for new users, the Attestation
Statement was not submitted with
the signed User Agreement; OR the
signatory does not have the authority
to financially bind the company or
bear responsibility.
Agreements with Principals include:
a) Restrictions on, and penalties
for, reuse and re-disclosure;
b) SSA’s legal authority to
impose civil monetary
penalties;
c) Prohibition of using any
variation of SSA wording
and logo in advertising;
d) Prohibition for advertising
services as identity
verification;
During the timeframe under review,
the SSA-88 was not current. The
most recent Form SSA-88 filed with
SSA did not include all Authorized
Users for appropriate service channel
(Web Service or Online Service).
An employee listed on the Form
SSA-88 was not an employee of the
Requesting Party. An employee
listed on the form was no longer
performing duties related to the
CBSV system.
Please Note: It is not considered
non-compliance if the Requesting
Party files a new Form SSA-88
within 14 days of the termination
of employment of any employee
listed as an Authorized User on the
Form SSA-88.
Type II: Agreements with Principals
missing any of the following:
a) Restrictions on, and
penalties for, reuse and redisclosure;
b) SSA’s legal authority to
impose civil monetary
penalties;
c) Prohibition of using any
variation of SSA wording
and logo in advertising;
39 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�Compliance
Assertion
Compliance
Noncompliance
e) SSA’s right to access all
Requesting Party books and
records associated with
CBSV at any time.
f) Requirement for receipt of
completed Consent Forms
prior to submitting
verifications.
g) Following the same
requirements for
safeguarding and reporting
the loss of PII as outlined in
Section V(B).
15
The Requesting Party or Principal
can provide an activity log that
tracks the activity of employees who
request information or view SSAsupplied information in the
company’s system, including the
Form SSA-89s stored electronically.
d) Prohibition for advertising
services as identity
verification;
e) SSA’s right to access all
Requesting Party books and
records associated with
CBSV at any time.
f)
Requirement for receipt
of completed Consent
Forms prior to submitting
verifications.
g) Following the same
requirements for
safeguarding and reporting
the loss of PII as outlined in
Section V(B).
Reference to provisions of the
Requesting Party’s User
Agreement with SSA rather than
specific language regarding each
item listed above is considered
non-compliance.
Type I: Failure to maintain the
ability to track access to CBSV data
and results, which prevents the
completion of a compliance review
as required by the User Agreement.
Type II: The Requesting Party or
Principal cannot track the activity of
employees who request information
or view SSA-supplied information in
the company’s system, including the
Form SSA-89s stored electronically.
Suspension will be lifted after the applicable penalty periods only if the Requesting Party has
provided evidence and SSA has determined that the noncompliance at issue has been resolved to
SSA’s satisfaction. The Requesting Party must submit a corrective action plan within 30 days of
the beginning of the suspension period.
40 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�OMB #0960-0760
APPENDIX A – External Testing Environment (ETE) – (For Web Service Users Only)
______________________________________________________________________
CBSV User Agreement
Between the Social Security Administration (SSA)
And
External-to-SSA Developers
For External Testing Environment (ETE)
______________________________________________________________________
41 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�I.
Purpose
The External Testing Environment (ETE) provides a dedicated test environment to be used by
external-to-the Social Security Administration (SSA) developers for Consent Based Social
Security Number Verification (CBSV) web services to test their software independent of SSA’s
development activities. The ETE gives the external developers the flexibility to test on an “as
needed” basis to make sure their software remains up-to-date and continues to provide accurate
data on behalf of the public to SSA systems.
The purpose of this User Agreement is to establish the conditions, terms, and safeguards under
which SSA will provide access to external-to-SSA developers for testing within the ETE.
II.
Definitions
Name
SSA
External to SSA Developer
(ETSSAD)
Requesting Party
Application Sponsor
ETE Administrator
Credentials
Description
Social Security Administration
Employee designated by Requesting Party to
process submissions.
Company desiring to access and use the ETE
as represented by an Officer or Employee of
Company possessing authority to make
legally binding commitments on behalf of the
Company.
Owner of SSA application with authority to
approve ETSSAD request
Employee responsible for the management of
the External Testing Environment
Personal Identification Number (PIN) and
Password to access SSA systems.
III.
Technical Specifications and Systems Security & Related Business Process
Requirements
The Requesting Party must secure, at its own expense, the necessary hardware, software, etc. to
establish connection to the ETE. The Requesting Party must have, and must provide at its own
expense, Internet access in order to access the ETE. The Requesting Party must provide SSA
with a valid e-mail address for its representative so that SSA may communicate with the
Requesting Party via email.
All Requesting Party site preparation, connection, and operating costs, as well as any other
miscellaneous costs incurred by the Requesting Party to enable its participation in the ETE, are
the responsibility of the Requesting Party.
42 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�SSA will give access to ETE documentation to the Requesting Party, which SSA may amend
from time to time at its discretion without amendment to this User Agreement. The requirements
for submitting files, checking status, and retrieving results are set forth in the User Guide.
A. General Participation Requirements
In order to meet general expectations for participation, the ETSSAD will need to:
• Execute test scenarios over a stated period on a repetitive basis to ensure connectivity to SSA
systems.
• Interpret test results and accurately report issues encountered during Web service testing in
enough detail that they can be reproduced.
• Provide feedback to SSA regarding the application’s reliability, stability, and user experience.
• Provide feedback to SSA regarding product enhancements, documentation, and help systems.
• Be able to react to SSA’s software changes.
• Have technical team members available to work with the SSA technical team to troubleshoot
and resolve any connectivity or compatibility challenges incurred during the testing process.
B. Environment and Platform
In order to meet the environment requirements the ETSSAD must:
• Have a Web service development environment that supports development using a .NET and/or
Java-based industry standard technologies.
• Have a test environment that can be setup to connect to SSA’s testing environment. If
necessary, the ETSSAD test environment should be configured to use digital certificates
generated by SSA for testing purposes.
C. Web Service Specific Expertise
The Requesting Party must have the following technical expertise in developing Web service
clients for external Web services that have the following characteristics:
• Conformance to the World Wide Web Consortium (W3C) Web service standards (Simple
Object Access Protocol (SOAP), Web Service Definition Language (WSDL), Web Service
Security [WS-Security]).
• A transport layer security using Hypertext Transfer Protocol Secure (HTTPS), using Secure
Socket Layer (SSL) Certificates signed by well-known Certification Authorities (CAs).
• Protected Web services that require the following authentication mechanisms:
➢ Client Authentication using the Personal Identification Number (PIN)/Password as a part
of the WS-Security SOAP header, and;
➢ Strong Authentication (using X.509 Client Certificates), which authenticates the ETSSAD
based on a digital signature over the SOAP body and timestamp element.
• Experience in successful Web service testing.
43 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�D. Ability to meet SSA’s Schedule
The ETSSAD must work within SSA’s schedule constraints. The applicant therefore must be able
to:
•
Perform testing during the agreed-upon time frame with help support available on weekdays
between 9 A.M. and 5 P.M. Eastern Standard Time (EST),
•
Support a flexible test schedule, and
•
Participate in pre-scheduled technical status conference calls for the duration of testing.
IV.
Responsibilities
A. Requesting Party’s Responsibilities:
The Requesting Party agrees to create electronic file(s) to be used to test an SSA developed web
service. The Requesting Party may be asked to process SSA generated test data when required.
All requests will conform to the submission requirements outlined in the ETE documentation
which the Requesting Party will have access to upon successful registration for access to the
ETE.
The Requesting Party agrees to provide the name, phone number, email address, and timeframe
for testing. Further, the Requesting Party agrees to notify SSA if there is any change to
employment status (including but not limited to, for example, long-term absence, termination of
employment, change of duties relevant to ETE) for any ETSSAD authorized to use ETE. The
Requesting Party must also notify SSA if they wish to revoke any employee’s authorization to
use SSA’s ETE. SSA will complete the registration process by issuing a unique access code by
SSA to the Requesting Party. The Requesting Party must to provide this code to the ETSSAD as
authentication of the employee’s relationship to the Requesting Party as well as proof of being
authorized by the Requesting Party to submit such requests.
SSA may change its method of receiving verification requests and providing the results to the
Requesting Party at any time. The Requesting Party must be responsible for any costs generated
by SSA's decision to change its method of using the ETE.
B. Requesting Party Acknowledgements:
1. The Requesting Party acknowledges that Section 1140 of the Social Security Act
authorizes SSA to impose civil monetary penalties on any person who uses the words
"Social Security" or other program-related words, acronyms, emblems and symbols in
connection with an advertisement, solicitation or other communication, "in a manner
which such person knows or should know would convey, or in a manner which
reasonably could be interpreted or construed as conveying, the false impression that such
item is approved, endorsed, or authorized by the Social Security Administration . . . ."
42 U.S.C. § 1320b-10(a); and
44 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�2. The Requesting Party acknowledges that it is specifically prohibited from using the
words "Social Security" or other program-related words, acronyms, emblems and
symbols in connection with an advertisement for products or services; and
3. The Requesting Party acknowledges that the information received from records
maintained by SSA is protected by Federal statutes and regulations, including 5 U.S.C. §
552a(i)(3) of the Privacy Act. Under this section, any person who knowingly and
willfully requests or obtains any information from SSA under false pretenses must be
guilty of a misdemeanor and fined not more than $5,000.
Please Note: These acknowledgements must extend to ETSSAD that are not the
Requesting Party.
C. SSA’s Responsibilities:
SSA mission-related work will have priority over ETE requests on SSA’s information systems
and, therefore, SSA does not guarantee that ETE request results will be available to the
Requesting Party within a specified period. SSA’s posting of ETE request results may be
delayed while SSA performs mission-related work, or while SSA performs systems maintenance.
SSA agrees to provide limited Security and Application specific Help support to ETSSAD. The
intent of this support is not to troubleshoot the Requesting Party’s application, rather to verify
that SSA’s environment is operational. ETSSADs are expected to develop their Web Service
Definition Language (WSDL) based on documentation provided by SSA after successful
registration.
V.
Duration of Agreement and Suspension of Services
A. Duration of Agreement
This User Agreement is effective upon signature of the Requesting Party and issuance of security
credentials and ends in the following situations:
• The timeframe stated by the Requesting Party during the registration process has ended,
leading to the account being suspended.
• SSA cancels any ETE application or the entire environment at any time. However, SSA will
make a reasonable effort to provide a 5-dayday notice prior to such action.
• The Requesting Party gives written notice of its decision to cancel its Agreement. In the
event that the Requesting Party gives notice of its intent to cancel the Agreement, the
Agreement must terminate immediately or at the specified notice date;
• SSA and the Requesting Party mutually agree to cancel the Agreement;
• Cancellation of the Agreement is required by law and must be effective as specified.
This agreement will end if SSA determines that the ETSSAD does not demonstrate the technical
and environmental expertise as stated in Section III of this document.
Please Note: The completion of application testing within the ETE has no bearing on access
to SSA Production systems.
45 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�B. Suspension of Services
Notwithstanding any other provision of this Agreement, SSA may unilaterally suspend access of
the Requesting Party to ETE services at the Agency’s discretion. Suspension will be effective
immediately upon written notice by SSA to the Requesting Party and will remain in effect until
lifted by SSA. During the suspension period, SSA will send notices to all ETSSAD who have
used the ETE environment on updates relating to the application tested.
The Requesting Party specifically waives any right to judicial review of SSA’s decision to
suspend or cancel this Agreement.
VI.
Amendments to Agreement
A. Unilateral Amendments
SSA reserves the right to make the following types of unilateral amendments to this Agreement
at any time:
• Minor administrative changes (for example, changes to SSA mailing addresses, email
addresses, names of personnel, locations, etc.); and/or
• Process changes (for example, how SSA will receive submissions and provide results to
business partners)
SSA will send unilateral amendments to the Requesting Party to notify them of the change. If
the Requesting Party chooses to cancel this Agreement because of a unilateral amendment, the
Requesting Party must submit written notice of its cancellation to SSA.
VII. Indemnification
Notwithstanding any other provision of this User Agreement, the Requesting Party agrees to
indemnify and hold SSA harmless from all claims, actions, causes of action, suits, debts, dues,
sums of money, accounts, covenants, contracts, controversies, agreements, promises,
representations, restitutions, damages, costs, fees, judgments, and any other liabilities associated
with, or resulting directly or indirectly from, any action, including but not limited to, actions
involving the disclosure of information released by the Requesting Party. SSA will not be
responsible for any financial loss or other loss incurred by the Requesting Party, whether directly
or indirectly, through the use of any data furnished pursuant to this User Agreement. SSA will
not be responsible for reimbursing the Requesting Party any costs incurred by the Requesting
Party pursuant to this User Agreement.
VIII. Disclaimers
SSA is not liable for any damages or loss resulting from errors in information provided to the
Requesting Party under this User Agreement. Furthermore, SSA is not liable for damages or loss
resulting from the destruction of any materials or data provided by the Requesting Party. All
information furnished to the Requesting Party will be subject to the limitations and
qualifications, if any, transmitted with such information.
46 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�The delivery by SSA of services described herein and the timeliness of the delivery are
authorized only to the extent that they are consistent with proper performance of the official
duties and obligations of SSA and the relative importance of this request to others. If for any
reason SSA delays or fails to provide services, or discontinues the services or any part thereof,
SSA is not liable for any damages or loss resulting from such delay or for any such failure or
discontinuance.
IX.
Integration
This User Agreement constitutes the entire agreement of the parties with respect to its subject
matter. There have been no representations, warranties or promises made outside of this User
Agreement. This User Agreement must take precedence over any other documents that may be
in conflict with it.
X.
Resolution Mechanism
In the event of a disagreement between the parties to this User Agreement, the parties must meet
and confer to attempt to negotiate a resolution. If the parties cannot negotiate a resolution, the
parties must submit the dispute in writing to the Deputy Commissioner of Systems, who will
render a final determination binding on both parties.
XI.
Persons to Contact
SSA Contacts
ETE Project Team
Email: OSES.ETE.Support.Mailbox@ssa.gov
XII. Authorizing Signatures and Dates
The signatories below warrant and represent that they have the competent authority on behalf of
their respective agencies or companies to enter into the obligations set forth in this User
Agreement.
____________________________________
Requesting Party (Signature)
Printed Name: ________________________
Title: _______________________________
Company Name:_______________________
_____________________________________
____________________________________
SSA Representative (Signature)
Printed Name: Susan Wilschke
Title: Head of Income Security Policy
Social Security Administration
47 of 47
User Agreement Between SSA and Requesting Party for CBSV
Effective 10/1/2020
�
| File Type | application/pdf |
| Author | 373325 |
| File Modified | 2025-12-17 |
| File Created | 2025-12-17 |