Sometimes, Social Security's Office of Inspector General (OIG) completes a report but doesn't want to release it to the public. In these cases OIG issues a "Limited Distribution" report. All that is available to the public is a brief blurb. Here are some excerpts from one of these recent "Limited Distribution" blurbs:
The National Institute of Standards and Technology recommends that security issues be patched timely to maintain the operational availability, confidentiality, and integrity of information technology systems. ...
SSA [Social Security Administration] did not have a comprehensive server patch management program. Consequently, the Agency did not always address known vulnerabilities timely. Specifically, we found that the Agency did not always :
Without an effective patch management process in place, systems are at risk of unauthorized access
- patch Windows servers according to its patch management policies ;
- have effective policies and procedures to ensure UNIX servers were patched timely; or
- address software vulnerabilities on the Windows servers.