Attached is Ernst & Young LLP's final audit report. Their objective was to determine the extent to which (1) the Social Security Administration had improved its cyber-security posture by defining and implementing plans to modernize or replace and retire its legacy information technology systems and (2) SSA’s efforts and plans to move to cloud services are consistent with Federal guidance.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | Yes | $0 | $0 | Agree | |
Ensure timely steps are taken to approve and implement a modernization strategy which covers SSA modernization efforts and comprehensively addresses legacy system risks for the upcoming years. | |||||
2 | No | $0 | $0 | Agree | |
Ensure timely steps are taken to develop Enterprise Architecture planning documents that directly align with strategic objectives and performance goals noted in the Agency's strategic and Annual Performance Plans. | |||||
3 | No | $0 | $0 | Agree | |
Review the Information Resource Management Strategic Plan annually and ensure it supports the goals of the Agency Strategic Plan, as required by the Government Performance and Results Modernization Act of 2010, OMB Circular A-130, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996. | |||||
4 | No | $0 | $0 | Agree | |
Ensure legacy system modernization plans include a detailed description of the work needed for modernization, considerations for the disposition of the system, and tracking cost data that covers all aspects of the project. | |||||
5 | Yes | $0 | $0 | Agree | |
Regularly perform risk assessments for legacy systems, as required by OMB Circular A-130, Section 5(a)(1)(b)(i) and (c)(ii). Performing assessments regularly will help management identify information systems and components that cannot be appropriately protected or secured. This will ensure that such systems that may be costly or difficult to maintain, are given high priority for upgrade, replacement, or retirement. | |||||
6 | No | $0 | $0 | Agree | |
Continue to refine the Agency’s inventory of business applications to ensure data elements specifically related to changes, such as retiring or replacing applications, resulting from modernization efforts are tracked/flagged appropriately. | |||||
7 | No | $0 | $0 | Agree | |
Implement cost monitoring mechanisms to help with the tracking and management costs related to modernization. Additionally, management should conduct cost analyses for modernization projects, considering cost from a risk perspective. | |||||
8 | No | $0 | $0 | Agree | |
Regularly perform post-implementation reviews on all information technology investments. |