SSA needs better information security, IG says
SSA has not followed through on key cybersecurity recommendations, according to a new report.
The Social Security Administration should centralize and tighten controls over its cybersecurity management and provide enough authority to the agency’s chief information officer to carry out those responsibilities, said SSA Inspector General Patrick O’Carroll in a new report.
SSA officials said they will comment on those recommendations after they have conducted their own evaluation.
The IG recently performed a follow-up audit to see how well SSA has complied with information security laws and standards since the IG's last evaluation in 2001. O’Carroll concluded that SSA has implemented two and partially addressed three of the five recommendations the IG made in 2001. The latest report was issued Sept. 24.
Ongoing problems uncovered in the new audit include a decentralized and fragmented information security management structure, not enough authority for the CIO to carry out cybersecurity responsibilities, insufficient documentation to ensure that users are notified of security incidents, and incomplete information in SSA’s Information Systems Security Handbook, the IG’s report states.
The IG also said SSA’s Office of the CIO continues to have limited authority.
“Although the [office] is responsible for the agency’s information security program, the CIO’s authority is inherently limited by the current security management structure,” O’Carroll wrote. “Under the current structure, the CIO is only responsible for security policy-making and [the Federal Information Security Management Act]. The CIO does not oversee and monitor agency-wide compliance with FISMA and other security standards and requirements.”
Margaret Tittel, SSA’s acting chief of staff, said the agency is deferring comments on the issue of the CIO’s authority and centralization of cybersecurity management until it can conduct its own evaluation. However, she said officials agreed with the IG's recommendations to update the agency’s Information Security Program Plan and the Information Systems Security Handbook, and ensure that users are notified of certain computer incidents as appropriate. In addition, SSA officials said they had implemented all five recommendations from the 2001 review, according to the report.
Earlier this year, the Government Accountability Office reported that SSA needed help with information security for its electronic data exchange programs.