Cybersecurity

Why OMB needs to lead on reducing federal SSN use

broken lock 

The government's effort to reduce its reliance on social security numbers is slow and continues to face challenges on the agency level.

In a recent report, the Government Accountability Office states that part of the reason for the difficulties agencies face is that they lack central guidance from the Office of Management and Budget.

While the numbers serve as a unique identifier for Americans, they were never intended to serve as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft.

Around 2007, OMB and the Social Security Administration made pushes to migrate from the number, and the 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the effort's urgency.

Auditors reported that all 24 CFO Act agencies have developed plans to curb the use and display of social security numbers, but agencies continue to struggle in actually reducing their collection of and reliance on the numbers.

The agencies' reduction plans are supposed to comprise four criteria -- performance goals and indicators, measurable activities, timelines for completion, as well as roles and responsibilities. However, their thoroughness varies significantly.

Only two agencies -- the Departments of Commerce and Education -- address all four elements, and two -- the Department of Energy and the General Services Administration -- address none.

However, individual agencies are using IT to cut down on the transmittal of SSNs. For example, the Bureau of Economic Analysis within the Department of Commerce implemented a filter to block e-mails containing SSNs, and the Department of Justice's systems automatically block e-mails to external, nongovernmental users when an SSN is detected.

Even where reductions can be made, regulatory, operational and technical obstacles stand in the way. Agency officials told auditors that SSNs cannot be entirely eliminated from federal IT systems and records because of a mix of laws and longstanding practice.

Officials from 14 agencies said that reducing the use, collection and display of SSNs would require complex technological challenges to key software applications and information systems.

"SSN reduction efforts in the federal government have also been limited by more readily addressable shortcomings," the report states. Specifically, GAO points a finger at OMB's poor planning and ineffective monitoring for agencies' shortcomings.

Reduction plans are supposed to be based on unnecessary use and display of social security numbers, but OMB hasn't provided criteria for determining what "unnecessary" constitutes, leaving interpretations up to agencies' interpretations.

Additionally, OMB does not require agencies to submit progress updates or to maintain inventories of systems that contain SSNs, which makes measuring agencies' progress in reducing SSNs difficult, the report states.

"Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall government-wide reduction efforts will likely remain limited and difficult to measure," the report states.

Auditors recommended OMB to require all agencies to develop and maintain SSN reduction plans, to inventory which of their systems contain SSNs and to submit annual status reports.

Additionally, auditors recommend that OMB define "unnecessary" collection and use of SSNs and establish performance measures of agency progress.

OMB did not provide comments on the recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.