Skip to main content
Report File
Date Issued
Submitting OIG
Social Security Administration OIG
Other Participating OIGs
Social Security Administration OIG
Agencies Reviewed/Investigated
Social Security Administration
Report Number
A-14-21-51093
Report Description

Objective: To determine whether the Social Security Administration was managing its Security Assessment and Authorization process in accordance with Federal and Agency requirements.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
19
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 19 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 No $0 $0 Agree

Complete the implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5.

2 No $0 $0 Agree

Update policies and procedures to require that system owners define the privacy requirements for the system and the environment of operation, including where those requirements should be documented.

3 No $0 $0 Agree

Remind Agency personnel of National Archives and Records Administration regulations.

4 No $0 $0 Agree

Identify and assign the senior accountable official for risk management.

5 No $0 $0 Agree

Include the organizational risk tolerance and make explicit the threats, assumptions, constraints, and trade offs used for making investment and operational decisions in the Risk Management Strategy.

6 No $0 $0 Agree

Document and implement procedures for conducting and updating an organization and system-level risk assessment.

7 No $0 $0 Agree

Update the information security continuous monitoring strategy to include the monitoring requirements at the mission/business process and information system levels; the minimum monitoring frequency for implemented controls across the organization; and how ongoing assessments are to be conducted.

8 No $0 $0 Agree

Update policies and procedures to require that the senior accountable official for risk management, or other designated official, review and approve the continuous monitoring strategy and retain evidence of the review and approval.

9 No $0 $0 Agree

Remind Agency personnel of policies and procedures, including compliance with roles and responsibilities noted in policy, and updating the security plan to document appropriate security control allocations and control tailoring.

10 No $0 $0 Agree

Centralize policies and procedures related to the Security Assessment and Authorization (SA&A) process.

11 No $0 $0 Agree

Update Agency policy to comply with Federal regulations for SA&A. Specifically, complete a system-level continuous monitoring strategy.

12 No $0 $0 Agree

Update Agency policy to comply with Federal regulations for SA&A. Specifically, require that system owners review and update Security Assessment Reports, System Security Plans, and Plans of Actions and Milestones based on the results of the continuous monitoring process.

13 No $0 $0 Agree

Update Agency policy to comply with Federal regulations for SA&A. Specifically, require that system owners report the security and privacy posture of the system to the authorizing and other organizational officials and define how often these updates should happen.

14 No $0 $0 Agree

Update Agency process documentation, as applicable, to establish a process to document the review and approval of system security and privacy plan by the authorizing official or designated representative.

15 No $0 $0 Agree

Update Agency process documentation, as applicable, to designate the signed Authorization to Operate is the risk determination completed by the authorizing official or a designated representative

16 No $0 $0 Agree

Update Agency process documentation, as applicable, to require that the authorizing official review systems’ security and privacy posture on an ongoing basis.

17 No $0 $0 Agree

Update Agency process documentation, as applicable, to require that system owners identify, define, and document requirements from the Prepare phase.

18 No $0 $0 Agree

Update Agency process documentation, as applicable, to establish a process to document the review and approval of Security Categorization and Security Assessment Plan by the authorizing official or designated representative.

19 No $0 $0 Agree

Update Agency process documentation, as applicable, to establish a process to include recommendations in all future Security Assessment Reports.

Social Security Administration OIG

United States