Electronic authentication standards implementation and documentation for some Social Security Administration website applications has been wanting, says the administration inspector general.

In a report dated Oct. 14, the OIG says three citizen-to-government Internet applications rated as requiring high confidence in the user's asserted identity--Level 3 applications, as defined (.pdf) by Office of Management and Budget M-04-04--lacked a compliant authentication protocol.

Guidance from the National Institute of Standards and Technology, SP 800-63 (.pdf), requires agencies to implement multifactor remote network authentication protocol for Level 3 applications. SSA is in the process of standing up an electronic authentication solution that will meet requirements for Level 2 and Level 3 applications, agency officials told auditors, but the anticipated release date has been pushed back from June 2011 to the early part of calendar year 2012.

As the audit was being prepared, SSA removed one of the Level 3 applications from the online production environment and reassessed the other two as Level 2 applications, the report adds.

Four other citizen-to-government Internet applications lacked documentation that the SSA performed an authentication risk assessment, the report also says. Agency staff from the office of open government told auditors that before January 2009, the agency lacked a standard process for conducting ARAs, and that some projects went through systems development without one.

The four applications were Medicare Replacement Card, Replacement 1099, Public Fraud Reporting Form, and Child Disability Report.

As a result, auditors say the agency  has lacked assurance that the applications have in place an appropriate authentication protocol commensurate with the risk presented by the application. After auditors issued a draft report, SSA officials conducted an ARA for the Public Fraud Reporting Form application.

The report also says that none of the 22 citizen-to-government Internet applications were validated after implementation, as required again by OMB M-04-04. Post implementation validation is a requirement because implementation may create new risks or compound existing ones. Agency staff told auditors they monitor application activity for 30 to 60 days following release to production, but that they lack resources to produce stand-alone documentation of post implementation validations.

Agency officials also didn't conduct required periodic risk reassessments for 11 of those applications, the report adds.

For more:
- download the report, A-14-11-11115 (.pdf)

Related Articles:
SSA should plan better for online self-service, says IG 
Social Security Administration data center teeters while replacement is delayed 
Panel recommends SSA continue with mainframe modernization