S
Patrick P. O’Carroll, Jr.
Acting Inspector General

Enclosure

cc:
Jo Anne B. Barnhart

OA Read File
Subject File
OG/OA/Winter/mjs:05/27/2004
Revised asd 5/27/04
File Code: A-14-04-24101

CONGRESSIONAL RESPONSE
REPORT

Security of the Social Security Administration’s National Computer Center Back-up and
Recovery Tapes and Records

A-14-04-24101

May 2004

Mission

We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

By conducting independent and objective audits, investigations, and evaluations, we are agents of positive change striving for continuous improvement in the Social Security Administration's programs, operations, and management and in our own office.

Background
OBJECTIVE

Our objective was to address the issues raised by Congressman Earl Pomeroy in his March 10, 2004 letter, regarding the Social Security Administration’s (SSA) arrangement for storing National Computer Center (NCC) back-up tapes and records at an off-site vault facility. Specifically, concerns were raised about: (1) the security in the storage of SSA back-up tapes and records; (2) the current contractor’s compliance with established SSA and industry security standards; and (3) the process recently used by SSA to award the off-site storage of magnetic media contract to the incumbent contractor.

BACKGROUND

SSA backs up software applications and data records from the NCC on magnetic tape on a daily basis. These tapes are sent to an off-site storage facility (storage facility) Monday through Friday. These tapes are used to restore NCC software applications and data records in the event that a temporary outage or a disaster occurs. The tapes are also used in the SSA annual disaster recovery test. Prior to 1997, back-up tapes were sent twice weekly to the SSA storage facility located in Wilkes-Barre, Pennsylvania. In 1997, SSA issued a Request-for-Proposal (RFP) for a storage facility for NCC back-up tapes. Three vendors submitted responses. The contract period included a base year with 4 optional years not to exceed 60 months. This contract was awarded to Independent Services Corporation (ISC). In 2003, at the end of the initial contract period, SSA issued a Request-for-Quote (RFQ) for the same services. SSA received three responses to the RFQ. SSA awarded the new contract to ISC. One of the unsuccessful vendors protested the contract award. SSA is currently revising the RFQ for the re-competition of this contract.

Results of Review

Our review of the concerns raised by Congressman Pomeroy in his March 10, 2004 letter, determined that: the level of security afforded SSA back-up tapes stored at a vendor’s off-site vault storage facility is sufficient, and the current contractor is significantly compliant with established SSA and industry security standards. Additionally, SSA followed applicable laws, regulations, and policies and procedures in awarding this contract to the incumbent contractor.

CONCERN 1: Security in the Storage of SSA Back-Up Tapes and Records at an Off-Site Vault Storage Facility

We visited the incumbent contractor’s facility on April 5 and April 20, 2004. We observed that the incumbent contractor’s facility has significant security safeguards in place that include: 1) a certified fire detection and suppression system; 2) a system that monitors and controls the facility’s environment; 3) intrusion detection systems that include motion, heat and vibration sensors; 4) installation of bullet-proof glass with breakage sensors; 5) contact alarms installed on all doors; and 6) utility monitoring. All of these systems are monitored 24 hours a day, 365 days a year. Furthermore, the facility has a redundant power supply. The vault used by ISC to store NCC magnetic media was certified in 1996 by independent engineers as meeting Department of Defense (DOD) criteria for vault construction for the storage of classified information (class type 'A' vault). As of April 2004, the engineer will not re-issue the certification for the vault because the engineer was sued by a vendor involved in the contract award protest. Although the certification has not been re-issued, the standards for a class type ‘A’ vault and the configuration of the contractor’s vault have not changed since the vault was certified in 1996.

Our examination of storage facility reviews performed by other auditing entities did not disclose any significant security deficiency with regard to the protection afforded SSA back-up magnetic media stored at this location. Our current and prior physical security reviews of this facility did not disclose any significant deficiency with respect to the adequate protection of SSA data stored at this facility.

Based on our analysis, we believe the contractor is adequately protecting the NCC back-up tapes and records stored at this facility.

CONCERN 2: The Current Contractor’s Compliance with Established SSA and Industry Standards

The section on Physical Access Protection in the National Institute of Standards (NIST), Special Publication 800-12, entitled Introduction to Computer Security, states that the level of protection for the storage of material at an off-site storage facility should be at the same level as that afforded the same material at the primary site of operations. NIST Special Publication 800-34, entitled Contingency Planning Guide for Information Technology Systems, also gives general factors to be considered in connection with off-site storage of electronic information. In addition, the Office of Management and Budget (OMB) has published a minimum set of controls to be included in Federal automated information security programs. The contract sets the detailed guidelines for securing the storage facility, and appears to conform to the general guidelines published by NIST and OMB, as applicable.

We believe the contractor has controls and procedures in place to adequately protect the NCC back-up tapes and records. However, we have observed several areas where the contractor may not be in strict compliance with specific detailed mandatory requirements stated in the contract request (RFQ-03-0159). The following addresses these issues.

Contractor Facility Located within 25 Miles of SSA

Section B.1 of the contract states “With reference to the geographic location of the SSA complex in Woodlawn, Maryland, the storage facility shall be located at a distance of not less than 25 miles and not at a greater distance that will prohibit a two (2) hour drive/delivery time on average.” This requirement further states “…25 mile minimum distance (Point-to-Point) is intended to provide adequate separation of geographic areas and subsequent protection from fire, flood, earthquakes, and/or other acts of nature.” We determined that the incumbent contractor’s facility did not meet the
25-mile Point-to-Point requirement. Further, we have not observed any industry best practices or Federal requirement that mandates a definite distance between the storage facility and the primary operations site. The Federal Emergency Management Agency suggests “…storing data off-site where they would not likely be damaged by an event affecting your facility.”

SSA decided that the storage facility should be close enough so that tapes could be sent daily, instead of twice weekly. Additionally, having the storage facility located within 2 hours of the NCC limits magnetic tape environmental exposure and reduces tape retrieval time in the event of a temporary outage or a disaster.

Our review of the statement of work for the re-competing of this contract showed that the mileage requirement is now 20 miles Point-to-Point from the primary site of operations. The current storage facility site in question is located beyond the 20 mile Point-to-Point requirement. This distance appears reasonable in light of current Federal standards and meets the new RFQ requirements.

The Contractor Facility Is Located within a 1,000 Foot Radius of Stored Paints, Chemicals and Explosives

Another RFQ requirement prevents the contractor’s facility from being within a 1,000 foot radius of any building used for the storage of paints, chemicals or explosives of any kind. Our on-site observations made on April 5, 2004, showed that:

1. the metal water tower located in back of the storage facility appears to be closer than 300 feet;

2. the two fuel oil tanks, shown in earlier photographs next to the water tower, were removed;

3. a propane gas tank with a capacity of about 350 gallons is located within a 1,000 foot radius of the storage facility; and

4. drums, of approximately 55 gallon capacity, that are/were used to store chemicals, are within a 1,000 foot radius of the storage facility.

We also noted that a trench (known as a catchment swale) was installed to divert water from the water tower should the water tower fail. The local fire department chief informed SSA that the 350-gallon propane gas tank does not pose a significant threat to the storage facility. Our observation of the propane gas tank shows that the storage facility is not adjacent to the propane tank. The building serviced by the propane tank is between the storage facility and the tank. Also, the drums located across the road at another business that are used to store chemicals were bundled together with the notation of ‘empty’ written on the plastic wrap. In addition, there were no drums stored in the secured fenced-in area of this facility during our visit, nor was there any indication that propane gas was used by this business. Therefore, although these items technically do not comply with the RFQ, they do not appear to jeopardize the storage facility. We have not found any current industry standards that require set distances for the storage of such materials.

Optional Crisis Copy Facility

A third mandatory contract requirement was that the contractor provide a second magnetic media storage facility for the storage of ‘crisis copy’ media. Crisis copy media is defined as an older/aged set of data that is determined critical to SSA systems recovery in the event that a disaster occurs affecting the NCC, the storage facility, and vehicles transporting SSA data during the same period.

Security requirements for the optional crisis copy facility are the same as those required for the NCC, and the primary storage facility. Our review of the technical evaluations and discussions with the Agency disclosed that none of the three vendors met this requirement. As a result, the RFQ was amended by SSA to delete this requirement, because none of the responding vendors would be able to comply. Therefore, the deletion of this requirement from the original RFQ statement of work did not result in a change of status for any vendor, nor did the change result in favoritism.

Our review of the statement of work for the amended RFQ showed that the crisis copy facility is no longer a detailed mandatory requirement.

Industry Standards and Best Practices

We have not found any industry standards or best practices that conflict with the current operation of the storage facility.

CONCERN 3: The Process Recently Used by SSA to Re-Award the Off-site Storage of Magnetic Media Contract to the Incumbent Contractor

SSA revised terms of the statement of work to more appropriately reflect its needs and is currently in the process of re-competing the contract. The current contract will remain in effect until the new contract is awarded. We have determined that SSA complied with regulatory requirements when it amended the initial RFQ contractor detailed mandatory requirements to reflect SSA’s ‘true needs.’

On January 30, 2004, the General Accounting Office (GAO) dismissed a protest that the contract awardee’s facility did not meet various requirements of the RFQ. GAO stated that the re-competing of this contract is the relief it would have recommended had GAO decided the merits in the protester’s favor.

Our examination of the technical evaluations showed that two of the three responders were found technically capable of meeting the statement of work general and detailed mandatory requirements, as amended. SSA determined that the award of this contract to the incumbent contractor was in the best interest of the Government since the incumbent contractor’s proposal is technically qualified and the lowest overall cost. The difference in cost among the three proposals was significant.

Conclusion

Based on our review in response to the congressional inquiry, we believe that the contractor is adequately protecting the back-up tapes and that the contract was awarded to the contractor who is technically competent and offers the best value to SSA.

Appendices

Appendix A – Acronyms
Appendix B – Scope and Methodology

Appendix A
Acronyms
DOD Department of Defense
GAO General Accounting Office
ISC Independent Services Corporation
NCC National Computer Center
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
RFP Request-for-Proposal
RFQ Request-for-Quotation
SSA Social Security Administration

Appendix B
Scope and Methodology
To answer the Congressman’s questions related to the Social Security Administration’s (SSA) use of an off-site storage facility (storage facility), we:

• Reviewed relevant contract documentation and the revised Request for Quotation;

• Reviewed SSA’s policies and procedures and industry best practices regarding the storage of back-up tapes and records;

• Conducted interviews with SSA personnel involved with the processes of the awarding and protest activities associated with this contract;

• Reviewed other audit reports involving an assessment of physical security of the storage facility and Disaster Recovery; and

• Conducted a physical security review of the contractor’s storage facility in April 2004.

Our work was conducted at the Headquarters complex in Baltimore and the storage facility in New Windsor, Maryland during March and April 2004. We conducted our review in accordance with the President’s Council on Integrity and Efficiency’s Quality Standards for Inspections.

Overview of the Office of the Inspector General

Office of Audit

The Office of Audit (OA) conducts comprehensive financial and performance audits of the Social Security Administration’s (SSA) programs and makes recommendations to ensure that program objectives are achieved effectively and efficiently. Financial audits, required by the Chief Financial Officers' Act of 1990, assess whether SSA’s financial statements fairly present the Agency’s financial position, results of operations and cash flow. Performance audits review the economy, efficiency and effectiveness of SSA’s programs. OA also conducts short-term management and program evaluations focused on issues of concern to SSA, Congress and the general public. Evaluations often focus on identifying and recommending ways to prevent and minimize program fraud and inefficiency, rather than detecting problems after they occur.

Office of Executive Operations

The Office of Executive Operations (OEO) supports the Office of the Inspector General (OIG) by providing information resource management; systems security; and the coordination of budget, procurement, telecommunications, facilities and equipment, and human resources. In addition, this office is the focal point for the OIG’s strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act. OEO is also responsible for performing internal reviews to ensure that OIG offices nationwide hold themselves to the same rigorous standards that we expect from SSA, as well as conducting investigations of OIG employees, when necessary. Finally, OEO administers OIG’s public affairs, media, and interagency activities, coordinates responses to Congressional requests for information, and also communicates OIG’s planned and current activities and their results to the Commissioner and Congress.

Office of Investigations

The Office of Investigations (OI) conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement of SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, physicians, interpreters, representative payees, third parties, and by SSA employees in the performance of their duties. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.

Counsel to the Inspector General

The Counsel to the Inspector General provides legal advice and counsel to the Inspector General on various matters, including: 1) statutes, regulations, legislation, and policy directives governing the administration of SSA’s programs; 2) investigative procedures and techniques; and 3) legal implications and conclusions to be drawn from audit and investigative material produced by the OIG. The Counsel’s office also administers the civil monetary penalty program.