'Significant deficiency' with Social Security Administration cybersecurity, say auditors


Weaknesses in Social Security Administration cybersecurity during the last fiscal year collectively amounted to a significant deficiency, says the agency's office of inspector general.

In a report (.pdf) annually issued assessing agency compliance with the Federal Information Security Management Act, auditors say matters such as an incompletely implemented continuous monitoring strategy, lack of controls that prevented unauthorized access to the production environment, and weak controls that permitted penetration testers to obtain personally identifiable information from the agency intranet added up to a great risk.

They base their finding of a significant deficiency also on financial auditor's discovery of a material weakness in agency financial systems; a material weakness is one that has the reasonable potential to permit a material misstatement in financial statements from occurring without detection or correction.

Auditors say that the agency has taken action to address some of the cybersecurity weaknesses. It hired in September three contractor penetration testers of its own and strengthened some of the controls auditors found lacking, the report says.

The continuous monitoring strategy remains not yet fully implemented; agency officials told auditors they will complete evaluations of continuous monitoring tools by the end of this calendar year.

For more:
- download the report, A-14-12-12120 (.pdf)

Related Articles:
SSA is responsible for FISMA certification of vendor, not GSA, say auditors
SSA online authentication implementation wanting, says OIG
Auditors fault SSA for not following up on FSTAP recommendations