Skip to main content
Hearing Hearing Date: May 26, 2016 9:00 am 2154 Rayburn HOB

Social Security Administration: Information Systems Review

Subject
Social Security Administration: Information Systems Review
Date
May 26, 2016
Time
9:00 am
Place
2154 Rayburn HOB
Full Committee on Oversight and Accountability

TAKEAWAYS:

  • Twice, SSA failed to detect penetration tests even though the tests were designed to be detected. Auditors were able to obtain global access privileges, and access Personal Identifiable Information (PII) and other sensitive information.
  • An FY2015 IG audit found weaknesses in SSA’s networks representing severe security vulnerabilities and constituting a significant deficiency under the Federal Information Security Management Act (FISMA).
  • SSA CISO was not able to identify the number of critical vulnerabilities detected in a recent DHS security review.
  • SSA mainframe that houses sensitive information of nearly all Americans is so fragile according to DHS it cannot be tested or scanned without the “risk of bringing it down.”

PURPOSE:

BACKGROUND:

  • SSA stores sensitive and personally identifiable information of nearly every U.S. citizen, living and deceased.
  • In its annual evaluation of SSA’s information security program, the inspector general (IG) concluded that the severity of weaknesses identified constituted a significant deficiency under FISMA.
  • Of particular concern, the IG found that SSA failed to detect a penetration test completed by an independent external auditor.
  • SSA received a grade of “C” on the Committee’s FITARA Scorecard 2.0, an improvement from its previous grade of D.

KEY VIDEOS:

 Chairman Jason Chaffetz (R-UT): “It comes across as if you were hiding something from the inspector general. The fact that they were able to, unimpeded, do a penetration test, albeit that you invited them to do it. But that was the finding, is that they were able to exfiltrate personal identifiable information, which means there is a problem. And you don’t share that with the inspector general.”

Rep. John Duncan (R-TN): “I know the easiest thing in the world is to spend other people’s money and there’s just not the same pressures or incentives to hold down spending in the federal government as there is in the private sector. We’ve got to do better. … [T]he systems are out of date, aging and so forth.”

Information Technology Subcommittee Chairman Will Hurd (R-TX): “This is not an issue of technology. This is an issue of leadership. You have information on every single American in the United States of America and your CISO doesn’t even know from the last report how many critical vulnerabilities there were. ”

Witnesses and testimonies: Ms. Carolyn W. Colvin

Acting Administrator
Social Security Administration

Document

Mr. Robert Klopp

Deputy Commissioner, Systems, and Chief Information Officer
Social Security Administration

Document

Ms. Marti A. Eckert

Associate Commissioner, Information Security, and Chief Information Security Officer
Social Security Administration

Document

Ms. Gale Stallworth Stone

Deputy Inspector General
Social Security Administration

Document

Related Documents
Name Document
Transcript Document