As required by the Consolidated Appropriations Act, 2016, we are issuing this report on the security of the systems at the Social Security Administration (SSA) that provide access to personally identifiable information (PII). The law requires that our report include information about SSA’s policies, procedures, and capabilities related to
1. controlling access to systems;
2. conducting software inventories;
3. monitoring and detecting exfiltration and other threats; and
4. ensuring contractors implement capabilities to monitor and detect exfiltration and other threats.