Objective

To review the plan, design, status, and data processing capacity of the Social Security Administration’s (SSA) Durham Support Center (DSC) focusing on SSA’s strategic planning in the acquisition of the DSC.

Background

The DSC is a critical element in SSA’s Information Technology Operations Assurance (ITOA) initiative.  ITOA was initiated in response to Agency vulnerabilities identified in a 2002 assessment of SSA’s disaster recovery plan.  In 2005, SSA worked with the General Services Administration to acquire a second data center, and in January 2009, it took possession of the DSC.  The DSC is a co-processing center; where routine operations will be divided between it and the National Computer Center (NCC).  Each data center will have the capability to handle the Agency’s information technology (IT) workloads associated with essential functions in the event of a disaster at one of the data centers.

Our Findings

Despite the challenges to the project, SSA appears to have successfully designed a co‑processing center that incorporates a number of Tier III level features and meets industry security standards.  The Agency not only considered future processing needs of the center, such as “white space,” it designed and constructed the DSC in a manner that minimizes the likelihood that the physical concerns at the NCC will be repeated.  While SSA performed some IT planning, it could have benefited had more integrated strategic planning been performed.  Given the significance of the Agency’s current efforts to build a new NCC, we believe SSA should learn from its experience with the DSC and take the necessary steps to ensure proper planning to mitigate project delays and cost increases. 

Our Recommendations

1. Accelerate the use of the DSC as a fully functioning data center with emphasis on using the DSC as the DR site for the NCC.
2. Develop a comprehensive, long-range IT strategic plan that is transparent and integrated within other SSA components,  includes possible constraints and challenges on all aspects of IT projects, and conforms to the Agency’s strategic plan. 
3. Formally document the Agency’s plan to accelerate the use of the DSC as part of SSA’s disaster recovery plan and update the disaster recovery plan as the DSC and NCC replacement become fully functional.
4. Develop a policy to ensure emergency instructions and plans are completed for Headquarters facilities within at least the same time frame as required by the Field Administration policy.

For future IT investments, SSA should:

1. Monitor actual performance compared to expected results to ensure projects meet agreed-upon budget and milestones.
2. Ensure a risk assessment is done to identify environmental risks associated with the site location of new structures.
3. Assess and appropriately address the security weaknesses identified in this review.