VA Needs a Security Check For Its Social Security Number Reduction Tool

A tool designed to protect the identity of veterans is itself in need of a security update.

The Veterans Affairs Department’s Social Security Number Reduction, or SSNR, tool was recently migrated from a contractor-run environment to the agency’s own enterprise cloud and is in need of a security review before it can be used on VA systems.

Agencies have been trying to wean themselves off of Social Security numbers for nearly 15 years, going back to an Office of Management and Budget mandate issued in 2007. That push continues today, with lawmakers to the then-head of the Cybersecurity and Infrastructure Security Agency calling for an end to reliance on the number as a form of identity verification.

VA has the statutory authority to use SSNs as identifiers. However, the "increased availability of SSNs with the aggregation of other personal identifiers has exposed individuals to possible identity theft,” according to a request for information posted to SAM.gov. “Thus, VA has taken steps to reduce and, where possible, eliminate the use of the SSNs in VA operations, programs and services.”

To that end, the agency’s Privacy Service team developed the Social Security Number Reduction, or SSNR, tool in 2018 to seek out and catalog SSN use across the agency. As those uses are identified, VA privacy officers work with the relevant programs to reduce or eliminate the need to use the number.

The tool was originally developed and approved to operate on a contractor-owned server. That contract has since expired and the tool has been moved over to the VA Enterprise Cloud, though it has not yet been approved to operate in that environment.

To get the tool properly authorized again, VA needs to put the program through the full authority to operate, or ATO, process, and is looking for a vendor to manage that review.

“The Contractor shall perform all functions to maintain the ATO for the SSNR tool in the VAEC cloud based environment to include any and all ATO related requirements including code changes to enhance and upgrade the existing SSNR Tool to meet [VA Technical Reference Model] requirements and for long-term sustainability and use; security and legal compliance; and the eventual collection, reduction and/or elimination of the use of SSNs in VA databases,” the RFI states.   

The ATO work will include developing an implementation plan, conducting technical scans and tests, and maintaining the ATO once granted.

While getting a new ATO is the priority, the contract will also include ongoing maintenance and upgrades for the tool—along with ensuring those upgrades remain secure.

“The contractor shall enhance and upgrade the existing SSNR Tool to meet [Technical Reference Model] requirements as technologies change and for long-term sustainability and use,” the RFI states. “The contractor shall also provide database management, troubleshooting, and user-support for VA officials utilizing the SSNR Tool.”

VA plans to make the award off of its Transformation Twenty-One Total Technology Next Generation, or T4NG, contract. The contract will run for one year, with four one-year add-on options.

Responses to the RFI are due July 20.