Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Effectiveness of the Social Security Administration’s Server Patch Management Process (Limited Distribution)

October 03, 2014

The National Institute of Standards and Technology recommends that security issues be patched timely to maintain the operational availability, confidentiality, and integrity of information technology systems. Additionally, the Government Accountability Office’s Federal Information System Control Audit Manual requires that an effective patch management process be documented and implemented. SSA’s policies and procedures also require timely patching of systems.

To test the security of SSA’s systems, the independent public accounting firm we contracted with to audit SSA’s Fiscal Year 2013 financial statements performed systems penetration tests. The firm identified weaknesses with the Agency’s patch management process, which contributed to the firm’s determination that SSA had a significant deficiency in its systems environment.

The objective of this report was to determine whether the SSA server patch management program effectively addressed known system vulnerabilities.

The National Institute of Standards and Technology recommends that security issues be patched timely to maintain the operational availability, confidentiality, and integrity of information technology systems. Additionally, the Government Accountability Office’s Federal Information System Control Audit Manual requires that an effective patch management process be documented and implemented. SSA’s policies and procedures also require timely patching of systems.

To test the security of SSA’s systems, the independent public accounting firm we contracted with to audit SSA’s Fiscal Year 2013 financial statements performed systems penetration tests. The firm identified weaknesses with the Agency’s patch management process, which contributed to the firm’s determination that SSA had a significant deficiency in its systems environment.

The objective of this report was to determine whether the SSA server patch management program effectively addressed known system vulnerabilities.

Read the summary report

Looking for U.S. government information and services?
Visit USA.gov