Controlling and limiting access to the Agency’s information systems and resources is the first line of defense in assuring the confidentiality, integrity, and availability of the Agency’s information technology resources. SSA’s systems access policy is built on the principles of least privilege and need-to-know. This policy applies to all SSA employees and other authorized users, such as employees of other agencies, business partners, contractors, agents, and any other individuals operating on the Agency’s behalf and having direct access to and/or using SSA information system resources.
We identified three systems that contained contractor populations: Top Secret, the Electronic Personal Enrollment Credential System (EPECS), and the Contractor Suitability System (CSS).
The objective of this report was to determine (1) whether security profiles assigned to SSA contractors provided access to SSA data they did not need and (2) if terminated contractors still had access to SSA systems.