The Government Accountability Office (GAO) said in a new report that the Social Security Administration (SSA) still needs to improve its cybersecurity by addressing how it coordinates with states and other Federal agencies.
GAO listed improving cybersecurity among open priority recommendations for SSA – a recommendation that stems from a May 2020 report. The report calls for coordination with other agencies on ensuring consistency among its cybersecurity requirements and revising assessment policies to ensure the maximum coordination possible.
“The Federal government exchanges personally identifiable and other sensitive information with state agencies,” United States Comptroller General Gene Dodaro wrote in a letter to the acting SSA commissioner as part of GAO’s latest annual report to the agency listing its open priority recommendations for improvement.
“Two priority recommendations in this area focus on ensuring that SSA’s cybersecurity requirements and assessment procedures for state agencies are consistent with other Federal agencies and National Institute of Standards and Technology (NIST) guidance, and that they maximize coordination with other Federal agencies,” Dodaro added. “Implementing these recommendations could enhance coordination across Federal and state agencies to protect sensitive information.”
GAO said that SSA’s Commissioner should collaborate with the Office of Management and Budget and get input from the Centers for Medicare and Medicaid Services, the FBI, the Internal Revenue Service, and state agency stakeholders to ensure that SSA’s cybersecurity practices are consistent with the NIST guidance with rationale for any deviations.
GAO said SSA agreed with the recommendation and said it has partially implemented the recommendation by beginning to update its policies. GAO added, “However, as of February 2022, the agency did not have an update on its efforts to collaborate with federal agencies when making revisions to its security requirements and assessment procedures.”
“To fully address this recommendation, SSA needs to demonstrate its collaboration with federal agencies to make cybersecurity requirements more consistent,” GAO wrote. “States’ compliance with multiple federal agencies’ cybersecurity requirements has resulted in increased costs. Coordinating to address these multiple cybersecurity requirements could help to significantly reduce these costs.”
GAO said that SSA also agreed and partially implemented the agency’s recommendation to “revise its assessment policies to maximize coordination with other Federal agencies to the greatest extent practicable.”
GAO said that, as of February, SSA had begun reviewing compliance assessment policies to see where to incorporate best practices for coordination but had not yet incorporated that information into its assessment procedures.
“To fully implement this recommendation, SSA needs to finalize its review and update its assessment procedures to incorporate steps for coordinating with other federal agencies,” GAO wrote. “Greater collaboration could ensure that security policy effectively protects sensitive information.”