Security Assessment and Authorization Process

View Report

Date Issued

Wednesday, September 25, 2024

Submitting OIG

Social Security Administration OIG

Other Participating OIGs

Social Security Administration OIG

Agencies Reviewed/Investigated

Social Security Administration

Report Number

A-14-21-51093

Report Description

Objective: To determine whether the Social Security Administration was managing its Security Assessment and Authorization process in accordance with Federal and Agency requirements.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	No	$0	$0	Agree
Complete the implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5.
4	No	$0	$0	Agree
Identify and assign the senior accountable official for risk management.
5	No	$0	$0	Agree
Include the organizational risk tolerance and make explicit the threats, assumptions, constraints, and trade offs used for making investment and operational decisions in the Risk Management Strategy.
6	No	$0	$0	Agree
Document and implement procedures for conducting and updating an organization and system-level risk assessment.
8	No	$0	$0	Agree
Update policies and procedures to require that the senior accountable official for risk management, or other designated official, review and approve the continuous monitoring strategy and retain evidence of the review and approval.
11	No	$0	$0	Agree
Update Agency policy to comply with Federal regulations for SA&A. Specifically, complete a system-level continuous monitoring strategy.