SSA Cybersecurity a Priority for the OIG, Congress

Beyond the Numbers

Date: 
Thursday, June 9, 2016
Posted by: 
The Communications Division

Government information systems, and the data they store, remain targets of cyber attacks. In fact, it was a year ago this week that the U.S. Office of Personnel Management (OPM) announced it had been hacked, resulting in the theft of millions of government personnel records.

As cyber threats evolve and become more complex, it is imperative that all government agencies, including the Social Security Administration, make protecting their networks and information a top priority.

The OIG plays a critical role in overseeing SSA’s efforts to secure its information systems and protect Americans’ personal information; we do this by conducting various IT audits and reviews and making recommendations for improvement to SSA.

Congressional Hearing on SSA Systems

Since the breach at OPM and similar incidents at other government agencies, Congress has taken steps to improve Federal agencies’ cybersecurity, through various legislative efforts, cybersecurity initiatives, and hearings with agency leadership and IT personnel.

Recently, Acting Inspector General Gale Stone joined SSA Acting Commissioner Carolyn Colvin and other SSA IT executives in a hearing before the U.S. House Committee on Oversight and Government Reform, to discuss the agency’s information systems.

In her testimony before Congress, Acting Inspector General Stone stressed that SSA contains sensitive data for nearly every U.S. citizen, thus improper and unauthorized access to this data could be detrimental for potentially hundreds of millions of Americans. Stone recommended that SSA must dedicate resources to ensure the appropriate design and effectiveness of information security controls, and to prevent unauthorized access to the sensitive information the American public entrusts to SSA. You can watch the entire hearing and review all of the written statements here.

Review of SSA Information Security

The Federal Information Security Modernization Act of 2014 (FISMA) exists to ensure that government agencies are properly securing information systems and data. FISMA also requires inspectors general to evaluate its agency’s information security programs and practices. We review SSA’s compliance with FISMA every year, to ensure the agency is doing all it can to develop and maintain strong cybersecurity practices.

In our most recent FISMA report, we concluded that SSA’s programs and policies were generally consistent with FISMA requirements. However, the audit identified several weaknesses in SSA’s networks. For example, Acting Inspector General Stone reported to Congress that the FISMA review found that “inadequate access controls allowed programmers to have unmonitored access to various systems functions, while other users had inappropriate access to software.”

Stone shared several recommendations for SSA from the FISMA report, including strengthening security tools to provide constant cyber protection and reviewing and improving account management controls. You can find our full FISMA report and many more details on its findings and recommendations here.

Protecting Americans’ personal information is a top priority for SSA and the OIG. Given the speed at which technology evolves, cybersecurity will continue to be a major focus throughout the Federal government.