Security Assessment and Authorization Process

View Report

Date Issued

Wednesday, September 25, 2024

Submitting OIG

Social Security Administration OIG

Other Participating OIGs

Social Security Administration OIG

Agencies Reviewed/Investigated

Social Security Administration

Report Number

A-14-21-51093

Report Description

Objective: To determine whether the Social Security Administration was managing its Security Assessment and Authorization process in accordance with Federal and Agency requirements.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	No	$0	$0	Agree
Complete the implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5.
4	No	$0	$0	Agree
Identify and assign the senior accountable official for risk management.
5	No	$0	$0	Agree
Include the organizational risk tolerance and make explicit the threats, assumptions, constraints, and trade offs used for making investment and operational decisions in the Risk Management Strategy.
6	No	$0	$0	Agree
Document and implement procedures for conducting and updating an organization and system-level risk assessment.
7	No	$0	$0	Agree
Update the information security continuous monitoring strategy to include the monitoring requirements at the mission/business process and information system levels; the minimum monitoring frequency for implemented controls across the organization; and how ongoing assessments are to be conducted.
8	No	$0	$0	Agree
Update policies and procedures to require that the senior accountable official for risk management, or other designated official, review and approve the continuous monitoring strategy and retain evidence of the review and approval.
9	No	$0	$0	Agree
Remind Agency personnel of policies and procedures, including compliance with roles and responsibilities noted in policy, and updating the security plan to document appropriate security control allocations and control tailoring.
10	No	$0	$0	Agree
Centralize policies and procedures related to the Security Assessment and Authorization (SA&A) process.
11	No	$0	$0	Agree
Update Agency policy to comply with Federal regulations for SA&A. Specifically, complete a system-level continuous monitoring strategy.
19	No	$0	$0	Agree
Update Agency process documentation, as applicable, to establish a process to include recommendations in all future Security Assessment Reports.