The Social Security Number Fraud Prevention Act of 2017 (the Act), Public Law 115-59, 42 U.S.C. 405 note, was signed on September 15, 2017. The Act restricts the inclusion of SSNs on any documents sent by mail unless the head of the agency determines that the inclusion of the SSN on the document is necessary. The Act also directs agencies to issue regulations that specify when inclusion of an SSN is necessary, include requirements for the safeguarding of SSNs by partially redacting SSNs where feasible and prohibiting the display of SSNs on the outside of any package or envelope sent by mail.

NASA submitted both a proposed and final rule to the Federal Register during the first quarter of FY23.
NASA published a proposed rule in the Federal Register at 87 FR 46908 on August 1, 2022, to proposed amendments to its current regulations at 14 CFR subpart 1212.6.  The 45-day comment period on the proposed rule closed on September 15, 2022, and NASA received one comment from an individual that expressed the importance of keeping social security numbers safe to prevent fraud, one comment from an individual that expressed the importance of continuously updating and clarifying all revisions pertaining to Social Security Numbers because citizens value and expect privacy, and one comment from an individual who provided information about social security income that is not related to this rule.  No significant issues or questions were raised by the commenters and no changes were made to the rule.  Overall, these comments were supportive of NASA enacting this rule.

Additionally, NASA submitted the final rule to revise its regulations under the Privacy Act (14 CFR part 1212.6) to clarify the procedural requirements pertaining to the inclusion of SSNs on documents that NASA sends by mail. Below is Subpart 1212.6:

Subpart 1212.6 Instructions for NASA Employees
    § 1212.604 Social security numbers.
Social Security Numbers on items sent by mail.

1. Social Security account numbers shall not be visible on the outside of any package sent by mail.
2. A document sent by mail may only include the Social Security account number of an individual if it is determined by the Administrator that the inclusion of a Social Security account number is necessary.
3. The inclusion of a Social Security account number of an individual on a document sent by mail is necessary when –

• Required by law; or
• Necessary to identify a specific individual and no adequate substitute is available.

4. Social Security account numbers must be partially redacted in documents sent by mail whenever feasible.

Privacy Act

The Privacy Act of 1974 requires federal agencies to publish a System of Records Notice (SORN) in the Federal Register describing a new or modified system of record (SOR).

As defined by the Privacy Act, a SOR is a collection of records on individuals maintained by NASA from which information is routinely retrieved by the name of the individual or other personal identifier. A SOR is not necessarily an IT system; it can be a collection of paper records too.

Per federal requirement and NASA policy, SORNs are published in the Federal Register for any electronic or non-electronic SORs that contains information on individuals that is routinely retrieved by personal identifiers.