Social Security Online
|Office of the Inspector General|
|This is an archival or historical document and may not reflect current policies or procedures|
Social Security Administration
Office of the Inspector General
Review of the Social Security Administration's Critical Infrastructure Protection Program (Limited Distribution) (A-14-01-01019)
Our objective was to determine the adequacy of the Social Security Administration's (SSA) Critical Infrastructure Protection Plan (CIPP) for its physical assets as it relates to Presidential Decision Directive (PDD) 63. The President's Council on Integrity and Efficiency and Executive Council on Integrity and Efficiency initiated a four-phase review to determine the adequacy of the Federal Government's critical infrastructure protection program in the context of PDD 63.
The results of our review revealed that SSA has made significant progress in addressing the national PDD 63 initiative. During the review, we noted that the Agency began to implement the recommendations below. However, we further noted that SSA needs to include more detailed information in its CIPP, identify interdependencies involving its critical physical assets, and continue its efforts in completing vulnerability assessments.
We recommended that SSA:
1. Update CIPP to include a timeline for incremental reviews of SSA's existing physical security policies and procedures.
2. Develop and update CIPP to incorporate implementation dates for inclusion of critical infrastructure protection functions in SSA's strategic planning and performance framework.
3. Develop training goals for the CIPP to ensure that it has the personnel and skills necessary to implement a sound infrastructure protection program.
4. Identify SSA's interdependencies with other Federal agencies for its physical assets as defined in Project Matrix.
5. Continue performing vulnerability assessments for its critical physical assets.
This report contains information that is sensitive and confidential. For security reasons, distribution of this report was limited to those with a need to know.