SSA needs better information security, IG says

Auditor recommends centralization, more CIO authority

The Social Security Administration should centralize and tighten controls over its cybersecurity management and provide enough authority to the agency’s chief information officer to carry out those responsibilities, said SSA Inspector General Patrick O’Carroll in a new report.

SSA officials said they will comment on those recommendations after they have conducted their own evaluation.

The IG recently performed a follow-up audit to see how well SSA has complied with information security laws and standards since the IG's last evaluation in 2001. O’Carroll concluded that SSA has implemented two and partially addressed three of the five recommendations the IG made in 2001. The latest report was issued Sept. 24.

Ongoing problems uncovered in the new audit include a decentralized and fragmented information security management structure, not enough authority for the CIO to carry out cybersecurity responsibilities, insufficient documentation to ensure that users are notified of security incidents, and incomplete information in SSA’s Information Systems Security Handbook, the IG’s report states.

The IG also said SSA’s Office of the CIO continues to have limited authority.

“Although the [office] is responsible for the agency’s information security program, the CIO’s authority is inherently limited by the current security management structure,” O’Carroll wrote. “Under the current structure, the CIO is only responsible for security policy-making and [the Federal Information Security Management Act]. The CIO does not oversee and monitor agency-wide compliance with FISMA and other security standards and requirements.”

Margaret Tittel, SSA’s acting chief of staff, said the agency is deferring comments on the issue of the CIO’s authority and centralization of cybersecurity management until it can conduct its own evaluation. However, she said officials agreed with the IG's recommendations to update the agency’s Information Security Program Plan and the Information Systems Security Handbook, and ensure that users are notified of certain computer incidents as appropriate. In addition, SSA officials said they had implemented all five recommendations from the 2001 review, according to the report.

Earlier this year, the Government Accountability Office reported that SSA needed help with information security for its electronic data exchange programs.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.