Cybersecurity

Why OMB needs to lead on reducing federal SSN use

broken lock 

The government's effort to reduce its reliance on social security numbers is slow and continues to face challenges on the agency level.

In a recent report, the Government Accountability Office states that part of the reason for the difficulties agencies face is that they lack central guidance from the Office of Management and Budget.

While the numbers serve as a unique identifier for Americans, they were never intended to serve as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft.

Around 2007, OMB and the Social Security Administration made pushes to migrate from the number, and the 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the effort's urgency.

Auditors reported that all 24 CFO Act agencies have developed plans to curb the use and display of social security numbers, but agencies continue to struggle in actually reducing their collection of and reliance on the numbers.

The agencies' reduction plans are supposed to comprise four criteria -- performance goals and indicators, measurable activities, timelines for completion, as well as roles and responsibilities. However, their thoroughness varies significantly.

Only two agencies -- the Departments of Commerce and Education -- address all four elements, and two -- the Department of Energy and the General Services Administration -- address none.

However, individual agencies are using IT to cut down on the transmittal of SSNs. For example, the Bureau of Economic Analysis within the Department of Commerce implemented a filter to block e-mails containing SSNs, and the Department of Justice's systems automatically block e-mails to external, nongovernmental users when an SSN is detected.

Even where reductions can be made, regulatory, operational and technical obstacles stand in the way. Agency officials told auditors that SSNs cannot be entirely eliminated from federal IT systems and records because of a mix of laws and longstanding practice.

Officials from 14 agencies said that reducing the use, collection and display of SSNs would require complex technological challenges to key software applications and information systems.

"SSN reduction efforts in the federal government have also been limited by more readily addressable shortcomings," the report states. Specifically, GAO points a finger at OMB's poor planning and ineffective monitoring for agencies' shortcomings.

Reduction plans are supposed to be based on unnecessary use and display of social security numbers, but OMB hasn't provided criteria for determining what "unnecessary" constitutes, leaving interpretations up to agencies' interpretations.

Additionally, OMB does not require agencies to submit progress updates or to maintain inventories of systems that contain SSNs, which makes measuring agencies' progress in reducing SSNs difficult, the report states.

"Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall government-wide reduction efforts will likely remain limited and difficult to measure," the report states.

Auditors recommended OMB to require all agencies to develop and maintain SSN reduction plans, to inventory which of their systems contain SSNs and to submit annual status reports.

Additionally, auditors recommend that OMB define "unnecessary" collection and use of SSNs and establish performance measures of agency progress.

OMB did not provide comments on the recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.