Fiscal Year 2009 Evaluation of the Social Security Administration’s Compliance with the Federal Information Security Management Act
To determine whether the Social Security Administration’s (SSA) overall security program and practices complied with the requirements of the Federal Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2009.
FISMA provides the framework for securing the Government’s information and information systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget and Congress on the adequacy and effectiveness of their security programs. FISMA requires that each agency develop, document, and implement an agency-wide information security program.To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-14-09-19047.pdf
We determined that SSA generally complied with FISMA requirements for FY 2009; however, there are areas that need improvement. SSA continues to work toward maintaining a secure environment for its information and systems. For example, SSA continues to have sound processes in a number of areas including certification and accreditation, configuration management, privacy, and system inventory.
Although the Agency continues to protect its information and systems, our FY 2009 financial statement audit identified a significant deficiency in the Agency’s controls over access to its information. SSA did not continually assess individuals’ access to the Agency’s mainframe information. The significant deficiency does not rise to the level of a significant deficiency defined under FISMA because of other compensating controls the Agency has in place, such as intrusion detection systems, guards, closed circuit televisions, automated systems checks, configuration management, and firewalls.
SSA should continue to strengthen its overall security program and practices and ensure future compliance with FISMA and other information security-related laws and regulations; therefore, we recommend SSA: