Social Security Administration officials say lack of money prevented them from updating and testing security controls on two major systems, says an SSA office of inspector general audit (.pdf) assessing agency compliance with the Federal Information Security Management Act. 

The agency did not update the system security plans for its FALCON Data Entry System and Security Unified Measurement System nor perform required annual security control testing, find auditors. SSA officials told auditors the systems' SSPs and testing fell by the wayside "because of budget cuts," according to the report.

A similar scenario was reported Nov. 15, when Federal Energy Regulatory Commission officials told auditors that it had not fully implemented cybersecurity policies and procedures due to budget and resource constraints.

Budget was not cited as a contributing factor in FISMA noncompliance elsewhere in the SSA audit report. The only other major problem identified by the OIG is a deficiency for financial statement reporting--a recurring and significant problem, note authors. However, a financial statement significant deficiency in internal control does not meet the criteria of a significant deficiency as defined in FISMA.

The auditors also found what they characterize as minor deficiencies that have significantly improved since they were identified in previous audits. Still, the OIG had several recommendations for immediate attention:

• SSA contractor personnel need security awareness training and should complete training before accessing agency systems;
• SSA should help components determine contractors that need such training;
• SSA must fully implement its Strategy for Information Security Program Continuous Monitoring, which was issued Sept. 16; and
• The agency chief information security officer should have access to all continuous monitoring data.

For more:
- download the audit(.pdf)

Related Articles:
Public prefers telephone, in-person contact with SSA
SSA online authentication implementation wanting, says OIG
SSA should plan better for online self-service, says IG