Social Security Administration: Information Systems Review

Full House Committee on Oversight and Government Reform
Full House Committee on Oversight and Government Reform
Hearing Date: May 26, 2016 9:00 am 2154 Rayburn HOB

TAKEAWAYS:

  • Twice, SSA failed to detect penetration tests even though the tests were designed to be detected. Auditors were able to obtain global access privileges, and access Personal Identifiable Information (PII) and other sensitive information.
  • An FY2015 IG audit found weaknesses in SSA’s networks representing severe security vulnerabilities and constituting a significant deficiency under the Federal Information Security Management Act (FISMA).
  • SSA CISO was not able to identify the number of critical vulnerabilities detected in a recent DHS security review.
  • SSA mainframe that houses sensitive information of nearly all Americans is so fragile according to DHS it cannot be tested or scanned without the “risk of bringing it down.”

PURPOSE:

BACKGROUND:

  • SSA stores sensitive and personally identifiable information of nearly every U.S. citizen, living and deceased.
  • In its annual evaluation of SSA’s information security program, the inspector general (IG) concluded that the severity of weaknesses identified constituted a significant deficiency under FISMA.
  • Of particular concern, the IG found that SSA failed to detect a penetration test completed by an independent external auditor.
  • SSA received a grade of “C” on the Committee’s FITARA Scorecard 2.0, an improvement from its previous grade of D.

KEY VIDEOS:

 Chairman Jason Chaffetz (R-UT): “It comes across as if you were hiding something from the inspector general. The fact that they were able to, unimpeded, do a penetration test, albeit that you invited them to do it. But that was the finding, is that they were able to exfiltrate personal identifiable information, which means there is a problem. And you don’t share that with the inspector general.”

Rep. John Duncan (R-TN): “I know the easiest thing in the world is to spend other people’s money and there’s just not the same pressures or incentives to hold down spending in the federal government as there is in the private sector. We’ve got to do better. … [T]he systems are out of date, aging and so forth.”

Information Technology Subcommittee Chairman Will Hurd (R-TX): “This is not an issue of technology. This is an issue of leadership. You have information on every single American in the United States of America and your CISO doesn’t even know from the last report how many critical vulnerabilities there were. ”

Witnesses and testimonies

Name Title Organization Panel Document
Ms. Carolyn W. Colvin Acting Administrator Social Security Administration Document
Mr. Robert Klopp Deputy Commissioner, Systems, and Chief Information Officer Social Security Administration Document
Ms. Marti A. Eckert Associate Commissioner, Information Security, and Chief Information Security Officer Social Security Administration Document
Ms. Gale Stallworth Stone Deputy Inspector General Social Security Administration Document