From a recent report by Social Security's Office of Inspector General (OIG):
Objective
To determine whether the Social Security Administration’s (SSA) overall information security program and practices were effective and consistent with the Federal Information Security Modernization Act of 2014 (FISMA) requirements, as defined in the Fiscal Year (FY) 2022 core Inspector General (IG) FISMA reporting metrics. ...We engaged Grant Thornton LLP (Grant Thornton) to conduct this performance audit ...
Based on the FY 2022 core IG FISMA reporting metrics guidance, Grant Thornton concluded SSA’s overall security program was “Not Effective.”
Although SSA had established an Agency-wide information security program and practices, Grant Thornton identified deficiencies that may limit the Agency’s ability to adequately protect its systems and information. While SSA continued executing its risk-based approach to strengthen controls over its information systems and address weaknesses, Grant Thornton’s audit continued to identify persistent deficiencies in both the design and operation of controls related to the FY 2022 core IG FISMA reporting metrics. ...
I wonder how much they paid Grant Thornton to tell them what everyone has known for a couple decades? Any claimant, employee, or anyone with even the smallest inkling of knowledge of cyber security could have told them it's not effective...for free even! I'm super surprised it hasn't already been breeched. If Equifax can be breeched, definitely it can happen to outdated systems. The borough I live in was involved in a ransomware breech... they had to pay over $400,000 for them to release the borough-wide data as it would have cost more to rebuild the systems. It's only a matter of time for a malicious person. This should probably not have been made public.
ReplyDeleteI am always surprised by comments like 12:58. Because they post like they actually know something when in reality they know nothing. SSA has been doing FISMA annual testing and reporting for over a decade. SSA's OIG every year conducts this kind of a study and SSA cooperates with their investigation. And this is something every single executive branch agency does annually. Specifics are online at https://www.cisa.gov/sites/default/files/publications/FY%202022%20Core%20IG%20FISMA%20Metrics%20Evaluation%20Guide%20%2805-12-22%29.pdf
ReplyDeleteAnd this public report has been sanitized, the actual report contains very detailed specific items and what deadlines and expectations are for remediation. That report is highly restricted. Designed to be made public.
So the idea that SSA's cyber security is "not effective" and that somehow means it can be breached by "Any claimant, employee, or anyone with even the smallest inkling of knowledge" is talking out one's nether regions. It means that GT feels that SSA does not meet the criteria listed by NIST or that they lack acceptable evidence of meeting criteria. It's explained on page 3 of the report. It does not mean that SSA's cybersecurity is "not effective". It means proving SSA lacks the data to prove is effective per the FISMA assessment criteria.
No one is saying SSA's data systems could not be hacked, anything can be given time, opportunity and mistakes on SSA's side. But the idea that the FISMA "Not Effective" means it's non-existent is ridiculous. But yes, reading these things can be boring and looking up the details is even more so thus makes it too easy to skim a bit and come away with conclusions that are just wrong.
And Mr Hall, great NY Post headline BTW. Technically not wrong but also wrong.
The interesting thing is that because of so called "security" SSA has this annoying policy of not allowing emails to contain a claimant's name. What exactly is being protected by hiding a claimant's name from an email? The real effect is to limit the ability of representatives to send inquiries by emails when they can't get through by phone. How can you send an inquiry, regarding a claimant, by email to a legal assistant when you can't identify by name (or SS#) the claimant you are referring to?
ReplyDeleteI’d love to be able to get and respond to emails from the public or reps but I don’t think that’s going to be happening anytime soon.
DeleteI’m definitely not a cyber security professional, but I do not emails are not sure…at all.
The emails we send internally are encrypted. Whether that can be done to emails coming in I have no clue.
Yet they make it next to impossible to set up a MySSA account unless you use a third party to prove your identity to them.
ReplyDeleteAre there systems in place to prevent, or at least detect, unauthorized access by SSA employees into accounts they have no reason to access. Many years ago a secretary mistakenly sent my 1695 with SSN to a local OHO instead of the field office. Subsequently, an OHO employee let slip some information about me that they could not have known unless they had accessed my account. The person who did it was a "VIP" so I decided to let it slide. I often wondered whether SSA tracks all logins such that they could have discovered this breach. Regular random audits of all account access would probably help to detect this and would be a deterrent.
ReplyDeleteOnce the VA lost that laptop, protecting PII became an obsession. Email is intrinsically insecure. Setting up secured email is a pain and hard to do at scale. Because you don't "own" both ends of the transaction nor the lines inbetween outside a closed organization. Meaning email with the public is insecure unless steps are taken. You cannot technically address security on an unknown sender so you have to institute rules over secure content. What can and cannot be sent via insecure public email. Turns out it's not much. That's PII for you. And before anyone gets all "but it's all been exposed by now anyway" as a reason to simply use email, there is a legal obligation on agencies to not "lose" PII, regardless of whether or not that PII has been on the front page of the NY Times. "Thou shalt not lose PII and if you do you must report it fast and deal with potential harmful impacts on the person whose PII you lost" is the commandment. No one wants that for many reasons, including the paperwork involved. Using public email is almost always a loss of PII outside of certain approved uses. Think of it as a kind of lawyer-client privilege where keeping secrets is concerned. Sometimes it gets in the way of doing business. But you have no choice in the matter.
ReplyDeleteHow can my information be safe if it is in your house?
ReplyDeleteSame way it’s safe in the Field office…it’s not. You’re not supposed to write anything down at home and you cannot print at home.
DeleteIt’s not any safer in the field office though. Trust me. Stuff printed and laying around everywhere. Cleaning crews and contractors coming in with PII everywhere. Cameras on phones and not secured.
No printing, but I sure can take a photo of the screen and print and send it anywhere.
DeleteThere are systems and audits and alerting systems in place that monitor employee access to about everything. You get an access profile and are blocked from things not in your profile. Attempts to access systems you have no business accessing are not just blocked but recorded and alerted to management and/or an internal staff that managed these systems. For example, if someone with access to MBR or similar systems looks up a family member, if people look up celebrities, if programmers try and access systems they have no business accessing. People in central office have access to financial systems but not to the production systems used by the field unless their job requires such.
ReplyDeleteIt's very granular and all inclusive and randomly audited (if staff power is available, so maybe not so much with today's backlogs...) That stuff has been in place both as policies and as computer system controls since agency founded and since computers could play a role.
@3:54 PM
ReplyDeleteThanks for the information. Good to know that there are systems in place to prevent unauthorized access to personal information.