IG: Social Security’s Information Security Program is ‘Not Effective,’ Says Watchdog

The Social Security Administration—the agency charged with managing a significant portion of the government social safety net and administering citizens’ national ID number—has an information security program in place but it’s “not effective,” according to an annual review through the Office of the Inspector General.

As part of the yearly Federal Information Security Management Act, or FISMA, review, agencies are audited on 54 factors, resulting in a maturity level and an overall assessment of whether those efforts are effectively protecting the enterprise. Third-party auditors found several security weaknesses in Social Security’s fiscal 2019 review, enough to garner a rating of “not effective” using criteria established by the Homeland Security Department.

The public release of the report offered few specifics as to the issues but mentioned deficiencies identified in the agency’s risk management, configuration management, identity and access management, data protection and privacy, security training, continuous monitoring, incident response and contingency planning. Auditors noted many of these were recurring problems they have identified in the past.

“While SSA continued executing its risk-based approach to strengthen controls over its information systems and address weaknesses, we continued identifying persistent deficiencies in both the design and operation of controls related to the DHS reporting metrics,” the report states.

Auditors ultimately made 14 recommendations to improve the agency’s cybersecurity posture.

Social Security officials agreed with the auditors’ findings and recommendations, though they argued the overall maturity level should have been one grade higher than the report concluded.

The maturity model puts an agency’s information security posture at one of five levels, ranging from “ad hoc” and reactive to “optimized” with consistent implementation and measurable metrics to ensure the program evolves and improves.

The 2019 report summary does not indicate what level auditors determined for Social Security, though the authors stated that they stand by their determination despite the agency’s dispute.