Skip to content
Social Security Online
Office of the Inspector General
OIG Home

This is an archival or historical document and may not reflect current policies or procedures
SSA logo: link to Social Security Online home

Report Summary - A-14-03-23001


Learn about Us

Meet OIG Senior Staff

Report Fraud to the Hotline

Apply for a Job

Visit our Library

Frequently Asked Questions

Reach Us

Links of Interest

OIG Sitemap 

Report Summary
Social Security Administration
Office of the Inspector General

Management Advisory Report: President's Council on Integrity and Efficiency Review of Critical Infrastructure Protection Program-Cyber-based Infrastructure (Limited Distribution) (A-14-03-23001)

Our objective was to determine the adequacy of the Social Security Administration's (SSA) Critical Infrastructure Protection (CIP) Program for its cyber assets in the context of Presidential Decision Directive (PDD) 63. We reviewed:

Blue Bullet Risk mitigation

Blue Bullet Emergency management actions

Blue Bullet Interagency coordination efforts

Blue Bullet Resource and organization requirements

Blue Bullet Recruitment, education and security awareness.

PDD 63 calls for the national effort to assure the security of the Nation's critical infrastructures. In 1999, SSA voluntarily took a lead in implementing PDD 63 and began a CIP initiative.

This audit is the second phase of a four-phase audit that reviewed the adequacy of agencies' implementation of activities for protecting critical cyber-based infrastructures. The general purpose of the four-phase audit is to determine Federal agencies' compliance with PDD 63.

During our review, we found SSA needs to:

Blue Bullet Include additional information in its CIP plan.

Blue Bullet Update its CIP plan to accurately reflect the security programs initiated.

Blue Bullet Develop mitigation plans for vulnerability assessments that do not have established plans.

Blue Bullet Continue its efforts to track and remedy recommendations found in the vulnerability assessments of its critical assets.

Blue Bullet Complete its interdependencies with other Federal agencies.

To address our findings, we recommended SSA:

Blue Bullet Update CIP plan to accurately reflect the cyber-based security programs it has initiated and that were noted in SSA's Fiscal Year 2002 Government Information Security Reform Act report.

Blue Bullet Develop training goals for the CIP plan to ensure that the Agency has the personnel and skills necessary to implement a sound infrastructure protection program.

Blue Bullet Develop mitigation reports for all critical assets that track vulnerability assessment findings; monitor corrective actions planned; and document resolutions implemented.

Blue Bullet Continue to track and implement recommendations for vulnerability assessments with established relative mitigation plans for its critical assets.

Blue Bullet Continue to identify interdependencies with other Federal agencies for its cyber-based assets as defined in Project Matrix, which was established under the authority of PDD 63 to assist Federal agencies in identifying infrastructure dependencies and interdependencies that are required for them to fulfill their responsibilities of national security, economic stability, and public health and safety.

SSA agreed with all of our recommendations and is implementing the recommended changes.

This report contains information that is sensitive and confidential. For security reasons, distribution of this report was limited to those with a need to know.

 Link to U.S. Government portal Privacy Policy | Website Policies & Other Important Information | Site Map
Need Larger Text?