Good afternoon, Mr. Chairman, Ranking Member Johnson, and Members of the Subcommittee. It's a pleasure to be here today to present our initial efforts under the American Recovery and Reinvestment Act of 2009 (ARRA), as well as our future plans geared toward transparency and accountability. Thank you for the invitation to testify.
The ARRA provided the Social Security Administration (SSA) with $1.09 billion, to be used as follows
- $500 million for necessary expenses for the replacement of the National Computer Center (NCC) and associated information technology costs. This funding is available until expended.
- $90 million to be used to issue approximately $13 billion in one-time Social Security and Supplemental Security Income payments of $250 each.
- $500 million for the processing of disability and retirement workloads, including information technology acquisition and research in support of such activities.
The ARRA also provided the Office of the Inspector General (OIG) with $2 million for salaries and expenses necessary for the oversight and audit of programs, projects, and activities funded by the ARRA. This funding is available through September 30, 2012.
While the majority of substantive SSA-related activities mandated by the ARRA are to be carried out by SSA itself, the OIG is bound by two types of requirements: those which the ARRA imposes on all Inspectors General, and those related to this OIG's specific SSA-related oversight activities.
To briefly address the former, the ARRA requires all Inspectors General to review, as appropriate, any concerns raised by the public about specific investments using Recovery Act funds. Any findings of such reviews, if not related to an ongoing criminal proceeding, must be relayed immediately to the head of the Agency; in this case, the Commissioner of Social Security. Additionally, the ultimate findings of such reviews, along with any audits conducted by any Inspector General of the use of Recovery Act funds, must be posted on the individual Inspector General's website and hyperlinked to Recovery.gov.
To accomplish this, Inspectors General are authorized by the ARRA (in addition to their existing authorities) to examine any records of any contractor, subcontractor, grantee, or subgrantee, and to interview any officer or employee of any contractor, grantee, subgrantee, or agency, if the matter pertains to Recovery Act funds.
Finally, the ARRA also places significant responsibilities on all Inspectors General, who will now play a central role in expanded whistleblower protections. Employees of private employers or State or local governments that receive Recovery funds may not be retaliated against for making allegations concerning such funds to certain sources, including Inspectors General. Inspectors General have 180 days to investigate and make appropriate reports, and the whistleblower has, with certain exceptions, access to the investigative file during that time.
The SSA OIG has taken on a key role in the Inspector General community in this regard, responding to a call from the Chair of the Council of Inspectors General for Integrity and Efficiency (CIGIE). In light of the increased responsibilities of the Inspector General community with respect to whistleblower allegations, it was felt that the community would be best served, and the ARRA best observed, by creating consistency and reliability across the community. As such, the SSA OIG has taken on the task of developing this cross-cutting issue on behalf of the community, beginning with a survey and study of approaches, interpretations, and best practices.
The CIGIE has also formed a working group to support the Recovery Accountability and Transparency Board in its statutory function, and my office is a participant and proponent of that group.
The Office of Management and Budget has issued implementing guidance on the ARRA, and the SSA OIG is compliant with that guidance-we are fully prepared to receive and investigate all ARRA-related whistleblower claims. The SSA OIG's website is not only compliant with ARRA requirements, but goes a step beyond-our internet home page, www.socialsecurity.gov/oig, already displays a prominent link to our Recovery Act reporting, as well as a means of reporting Recovery Act fraud.
The SSA OIG's specific responsibilities, however, rest in its oversight of the Agency's use of Recovery Act funds for the purposes enumerated in the Act: the replacement of the NCC, the processing of retirement and disability workloads, and the issuance of one-time stimulus payments. My office has already completed work in these areas, has additional audits underway, and has still more audits planned.
Replacement of the NCC
The NCC is the repository for the applications and data that support all of SSA's functions, as well as other government functions that rely on SSA data. It was constructed in 1979 and, with current trends, it is estimated that the NCC will reach its maximum data capacity within three to five years. In addition, the NCC's infrastructure, including heating, ventilation, and air conditioning, as well as its electrical components, are at the end of their useful lives. Failure of any large component of the uninterruptible power supply (UPS) cannot be repaired, and the UPS manufacturer will discontinue maintenance of the outdated model at the end of 2015.
As early as 1997, only two years into the OIG's existence, we issued an audit entitled Review of Physical Security at the Social Security Administration's National Computer Center. In that audit, we made some 29 recommendations for the protection of the NCC, most of which SSA agreed with. In 2004, the OIG issued a memorandum, SSA's Alternate Facility Options for the NCC, in which we provided information on alternate facility options in the event of a catastrophic event-such as a terrorist attack-at the NCC. SSA considered our comments in its planning of the Second Data Center, also referred to as the Second Support Center.
In 2008, Lockheed Martin completed an NCC Feasibility Study of the facility that identified infrastructure and data processing capacity issues that pose a significant risk to SSA's continuity of operations. That study recommended that SSA undertake 17 projects to sustain existing information technology operations through Calendar Year 2014.
Under the ARRA, we recently issued a report entitled Quick Response Evaluation: The Social Security Administration's Ability to Address Future Processing Requirements. In this limited distribution report, we sought to assess SSA's efforts to address future processing needs and infrastructure issues at the NCC. Specifically, we assessed SSA's actions in addressing the significant issues identified in the Lockheed Martin study. We noted the importance of ensuring the continued operation of the NCC. SSA estimates that it would cost the taxpayers $25 million for each day that the NCC was not operational. Moreover, during such outages, the Agency would be unable to process tens of thousands of retirement, survivors, and disability claims, as well as Social Security number verifications. This type of service interruption would likely hamper people's ability to obtain employment, driver's licenses, even loans and mortgages.
We found that SSA had already taken or planned some corrective action on 13 of the 17 recommended projects. (Lockheed Martin had recommended that 3 of the 17 be deferred due to changes in the NCC's functional role.) Lockheed Martin concluded that there were four options for resolving the Agency's long-term data processing needs: a new, on-campus data center; a new, off-campus data center; lease of an existing off-campus data center; or renovation of the existing NCC.
SSA is progressing on both immediate and long-term solutions. However, until the significant issues identified by Lockheed Martin are fully addressed, and a long-term data center solution is implemented, the Agency's operations remain vulnerable.
In our report, we concluded that, going forward, the Agency needs to focus its efforts on detailed plans:
- to acquire, construct, and operate a new Data Center;
- to estimate costs for the use and/or disposal of the NCC should a new primary Data Center be built; and
- for IT requirements for the next 5, 10, and 20 years.
Further, we urged SSA to identify the underlying factors that allowed the current NCC crisis to occur, and implement the necessary controls to prevent it from reoccurring.
In another ARRA project focused on the NCC, we are in the process of acquiring a vendor with the necessary highly technical skill sets to evaluate SSA's process for selecting the replacement strategy for the NCC, and to independently evaluate SSA's efforts toward implementing that strategy. While a contract award of this type would normally take almost 180 days from the date that funding was made available, SSA's Office of Acquisition and Grants has expedited the process on our behalf. We anticipate that the contract will be awarded mid-June-approximately 90 days from the date that OMB apportioned the funds to us.
On February 19, the OIG began an ongoing study, Congressional Response Report: The Social Security Administration's Information Technology Strategic Planning. In that report, we will review SSA's plan to address its data processing requirements 5 to 20 years into the future, and examine what actions SSA has taken to meet those requirements.
Another ongoing audit, The Social Security Administration's Second Data Center, is reviewing the plan, status, and data processing capacity of SSA's Second Data Center. SSA's Information Technology Operations Assurance (ITOA) initiative is designed to mitigate the risks of having a single point of failure associated with having a single, national computing facility. The ITOA project seeks to alleviate these risks by establishing a second, fully functional, co-processing data center.
This Second Data Center will be designed to process a portion of SSA's workloads, and this new center and SSA's main data center will back up each other, so that in the event of a catastrophe, operations can continue. SSA estimates that the Second Data Center will be fully functional in 2013; we will recommend that they accelerate that process to bring the Second Data Center fully online by 2010. I recently toured both the NCC and the Second Data Center, and while I was struck by the condition of the NCC, I was impressed in equal measure by the state-of-the-art facility at the new location, and the foresight evident in its planning and execution. This contrast between the NCC and the Second Data Center only highlights the importance of accelerating the completion of the new Center.
As SSA continues to plan and implement changes to ensure its continued data processing operations, the OIG will undertake additional audits and reviews to assess and evaluate the Agency's progress.
One-Time Economic Recovery Payments
We've undertaken two evaluations associated with the distribution of approximately $13 billion to Social Security and Supplemental Security Income (SSI) beneficiaries in the form of $250 individual payments. The ARRA provides SSA with $90 million to ensure these payments can be made efficiently and accurately.
Our first evaluation, Quick Response Evaluation: Economic Recovery Payments for Social Security and SSI Beneficiaries, is assessing the Agency's controls and procedures for administering the ARRA-mandated payments. Under the ARRA, individuals who receive Social Security or SSI benefits, as well as either Railroad Retirement Board or Veterans' Affairs benefits, will receive only one $250 payment. Our review will determine whether SSA has adequate controls in place for the accurate distribution of ARRA funds.
Our second review, Quick Response Evaluation: Administrative Expenses Incurred to Provide Economic Recovery Payments, will evaluate the processes put in place by SSA to identify and report costs incurred in the administration of the one-time ARRA payments.
Retirement and Disability Workload Processing
The ARRA also provided SSA with $500 million to process retirement and disability workloads, of which $40 million may be set aside for Health Information Technology development. The OIG is already at work overseeing the use of these ARRA funds.
A series of reports already underway will evaluate hiring practices. One of these reports, Quick Response Evaluation: ODAR Hiring Under the Recovery Act, began earlier this month, and will examine SSA's Office of Disability Adjudication and Review staffing plans associated with ARRA funds. Similar reports have also been initiated to examine hiring strategies for State Disability Determination Services, and for SSA's Office of Operations, which includes all SSA field offices.
Another planned evaluation, Quick Response Evaluation: Funding for Health Information Technology, will evaluate SSA's plans for the $40 million earmarked for this purpose. In March of this year, SSA informed us that it will invest the $40 million as follows:
- $16 million in direct support of IT needs to reduce the backlogs, including video conference equipment for hearings and workstations; and
- $24 million specifically for Health Information Technology, including contracts for "proof of concept" demonstration projects and pilot tests focused on electronic medical record retrieval.
Our audit will focus on the planned use of the $24 million designated specifically for Health Information Technology, whereas the $16 million will be reviewed as part of a separate audit that is already underway.
These completed, ongoing, and planned efforts are only the first of many by the SSA OIG to comply not only with the letter of the ARRA, but with its spirit of transparency, oversight, and accountability. We will continue to report to the Subcommittee, post the results of our work on our own website and on Recovery.gov, and ensure that the funding provided both to SSA and to the OIG is spent well and wisely.
I thank you again for the invitation to speak with you today, and I'd be happy to answer any questions.