Can government stop using Social Security numbers?

Shutterstock image. Copyright: Dgrilla. 

Agencies are having trouble reducing their reliance on Social Security numbers as identifiers because of outdated systems, insufficient funding and a lack of coordinated guidance coming from the executive branch.

While the numbers serve as a unique identifier for Americans, the system was never intended to be used as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft and financial fraud.

Agencies have struggled with attempts to move off using Social Security numbers as a universal identifier since at least 2007, when the Office of Management and Budget issued guidance mandating agencies to develop plans to cut back on the collection of and reliance on the numbers due to concerns about identity theft.

The 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the urgency for agencies to move off the number.

At a recent joint hearing for the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee, lawmakers raised concerns that the lack of progress on developing alternative identifiers and stronger protections could lead to a similar breach.

Greg Wilshusen, director of the Government Accountability Office’s Information Security Services, testified that agencies have trouble eliminating Social Security numbers from their IT systems and records "in part because no other identifier offers the same degree of awareness and utility."

Mariana LaCanfora, the acting deputy commissioner of the Social Security Administration’s Office of Retirement and Disability Policy, said that while Social Security numbers are critical for her agency’s ability to provide benefits, "the SSN and SSN card were never intended, nor do they serve, as identification."

"We strongly encourage other agencies and the public to minimize their use," she added.

Wilshusen also pointed to weak oversight from OMB as part of the problem.

"Reduction efforts in the executive branch have also been hampered by more readily addressable shortcomings," he said. "OMB has not required agencies to maintain up-to-date inventories of [Social Security] number collections, and has not established criteria for determining when the number’s use or display is unnecessary."

Some agencies have tried to develop their own identifiers to move off relying on Social Security numbers. For example, the Centers for Medicare and Medicaid Services will replace the numbers’ use as the primary identifier with a new number, the Medicare Beneficiary Identifier.

Karen Jackson, CMS' deputy chief operating officer, said this new identifier will replace the Social Security numbers for beneficiaries by April 2019.

Rep. David Schweikert (R-Ariz.), however, raised concerns that each agency creating a new identifier may merely create “a cascade of numbers” that will encounter similar cybersecurity risks.

IT Subcommittee chair Will Hurd (R-Texas) proposed the adoption of a secure, tokenized system to handle and connect the new numbers, pointing to the one used by the Estonian government as proof of concept.

However, Wilshusen said that another hurdle agencies face is limitations posed by their legacy tech.

"Legacy systems often may not be able to handle newer numbers," he said. "In order to be able to do that, it requires significant system change or modification."

OPM CIO David DeVries testified that OPM has now encrypted its collection of Social Security numbers, "with the exception of one database that resides in the mainframe, which is now sitting behind other security controls and detection systems, and that is scheduled to be completed… this calendar year."

However, on a scale of one to 10 in terms of the modernity and efficiency, DeVries said he would give his agency's equipment, “from an overall architecture and operating perspective… about a 0.3 or 0.4.”

About the Author

Chase Gunter is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.