SSA needs better information security, IG says

Auditor recommends centralization, more CIO authority

The Social Security Administration should centralize and tighten controls over its cybersecurity management and provide enough authority to the agency’s chief information officer to carry out those responsibilities, said SSA Inspector General Patrick O’Carroll in a new report.

SSA officials said they will comment on those recommendations after they have conducted their own evaluation.

The IG recently performed a follow-up audit to see how well SSA has complied with information security laws and standards since the IG's last evaluation in 2001. O’Carroll concluded that SSA has implemented two and partially addressed three of the five recommendations the IG made in 2001. The latest report was issued Sept. 24.

Ongoing problems uncovered in the new audit include a decentralized and fragmented information security management structure, not enough authority for the CIO to carry out cybersecurity responsibilities, insufficient documentation to ensure that users are notified of security incidents, and incomplete information in SSA’s Information Systems Security Handbook, the IG’s report states.

The IG also said SSA’s Office of the CIO continues to have limited authority.

“Although the [office] is responsible for the agency’s information security program, the CIO’s authority is inherently limited by the current security management structure,” O’Carroll wrote. “Under the current structure, the CIO is only responsible for security policy-making and [the Federal Information Security Management Act]. The CIO does not oversee and monitor agency-wide compliance with FISMA and other security standards and requirements.”

Margaret Tittel, SSA’s acting chief of staff, said the agency is deferring comments on the issue of the CIO’s authority and centralization of cybersecurity management until it can conduct its own evaluation. However, she said officials agreed with the IG's recommendations to update the agency’s Information Security Program Plan and the Information Systems Security Handbook, and ensure that users are notified of certain computer incidents as appropriate. In addition, SSA officials said they had implemented all five recommendations from the 2001 review, according to the report.

Earlier this year, the Government Accountability Office reported that SSA needed help with information security for its electronic data exchange programs.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.