Why OMB needs to lead on reducing federal SSN use
The government's effort to reduce its reliance on social security numbers lacks central guidance, according to a recent oversight report.
The government's effort to reduce its reliance on social security numbers is slow and continues to face challenges on the agency level.
In a recent report, the Government Accountability Office states that part of the reason for the difficulties agencies face is that they lack central guidance from the Office of Management and Budget.
While the numbers serve as a unique identifier for Americans, they were never intended to serve as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft.
Around 2007, OMB and the Social Security Administration made pushes to migrate from the number, and the 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the effort's urgency.
Auditors reported that all 24 CFO Act agencies have developed plans to curb the use and display of social security numbers, but agencies continue to struggle in actually reducing their collection of and reliance on the numbers.
The agencies' reduction plans are supposed to comprise four criteria -- performance goals and indicators, measurable activities, timelines for completion, as well as roles and responsibilities. However, their thoroughness varies significantly.
Only two agencies -- the Departments of Commerce and Education -- address all four elements, and two -- the Department of Energy and the General Services Administration -- address none.
However, individual agencies are using IT to cut down on the transmittal of SSNs. For example, the Bureau of Economic Analysis within the Department of Commerce implemented a filter to block e-mails containing SSNs, and the Department of Justice's systems automatically block e-mails to external, nongovernmental users when an SSN is detected.
Even where reductions can be made, regulatory, operational and technical obstacles stand in the way. Agency officials told auditors that SSNs cannot be entirely eliminated from federal IT systems and records because of a mix of laws and longstanding practice.
Officials from 14 agencies said that reducing the use, collection and display of SSNs would require complex technological challenges to key software applications and information systems.
"SSN reduction efforts in the federal government have also been limited by more readily addressable shortcomings," the report states. Specifically, GAO points a finger at OMB's poor planning and ineffective monitoring for agencies' shortcomings.
Reduction plans are supposed to be based on unnecessary use and display of social security numbers, but OMB hasn't provided criteria for determining what "unnecessary" constitutes, leaving interpretations up to agencies' interpretations.
Additionally, OMB does not require agencies to submit progress updates or to maintain inventories of systems that contain SSNs, which makes measuring agencies' progress in reducing SSNs difficult, the report states.
"Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall government-wide reduction efforts will likely remain limited and difficult to measure," the report states.
Auditors recommended OMB to require all agencies to develop and maintain SSN reduction plans, to inventory which of their systems contain SSNs and to submit annual status reports.
Additionally, auditors recommend that OMB define "unnecessary" collection and use of SSNs and establish performance measures of agency progress.
OMB did not provide comments on the recommendations.
NEXT STORY: DOD risks 'rogue' apps under current IoT policy