Social Security Administration: Information Systems Review

TAKEAWAYS:

• Twice, SSA failed to detect penetration tests even though the tests were designed to be detected. Auditors were able to obtain global access privileges, and access Personal Identifiable Information (PII) and other sensitive information.
• An FY2015 IG audit found weaknesses in SSA’s networks representing severe security vulnerabilities and constituting a significant deficiency under the Federal Information Security Management Act (FISMA).
• SSA CISO was not able to identify the number of critical vulnerabilities detected in a recent DHS security review.
• SSA mainframe that houses sensitive information of nearly all Americans is so fragile according to DHS it cannot be tested or scanned without the “risk of bringing it down.”

PURPOSE:

• To examine the information security systems operated by the Social Security Administration (SSA) and its contractors.
• To review SSA’s 2015 Federal Information Security Management Act (FISMA) audit results, its performance on the Committee’s Federal Information Technology Acquisition Reform Act (FITARA) Scorecard 2.0, the state of its legacy IT systems, and other key issues.

BACKGROUND:

• SSA stores sensitive and personally identifiable information of nearly every U.S. citizen, living and deceased.
• In its annual evaluation of SSA’s information security program, the inspector general (IG) concluded that the severity of weaknesses identified constituted a significant deficiency under FISMA.
• Of particular concern, the IG found that SSA failed to detect a penetration test completed by an independent external auditor.
• SSA received a grade of “C” on the Committee’s FITARA Scorecard 2.0, an improvement from its previous grade of D.

KEY VIDEOS:

 Chairman Jason Chaffetz (R-UT): “It comes across as if you were hiding something from the inspector general. The fact that they were able to, unimpeded, do a penetration test, albeit that you invited them to do it. But that was the finding, is that they were able to exfiltrate personal identifiable information, which means there is a problem. And you don’t share that with the inspector general.”

Rep. John Duncan (R-TN): “I know the easiest thing in the world is to spend other people’s money and there’s just not the same pressures or incentives to hold down spending in the federal government as there is in the private sector. We’ve got to do better. … [T]he systems are out of date, aging and so forth.”

Information Technology Subcommittee Chairman Will Hurd (R-TX): “This is not an issue of technology. This is an issue of leadership. You have information on every single American in the United States of America and your CISO doesn’t even know from the last report how many critical vulnerabilities there were. ”