SSA CIOs Receive To Do List From GAO

      A letter from the Government Accountability Office (GAO) (footnotes omitted):

July 7, 2025

Mr. Aram Moghaddassi

Chief Information Officer

Mr. Michael Russo

Chief Information Officer

Social Security Administration

6401 Security Boulevard 

Baltimore, MD 21235

Chief Information Officer Open Recommendations: Social Security Administration

I am writing to you both with respect to your roles as the Chief Information Officers (CIO) of the Social Security Administration (SSA). As an independent, non-partisan agency that works for Congress, GAO’s mission is to support Congress in meeting its constitutional responsibilities and help improve the performance and ensure the accountability of the federal government. Our work includes investigating matters related to the use of public funds, evaluating programs and activities of the U.S. Government at the request of congressional committees and subcommittees or on the initiative of the Comptroller General, and as required by public laws or committee reports. Our duties include reporting our findings and recommending ways to increase economy and efficiency in government spending. The purpose of this letter is to provide an overview of the open, publicly available GAO recommendations to SSA that call for the attention of the CIOs.

We identified recommendations that relate to the CIOs’ roles and responsibilities in effectively managing IT. They include strategic planning, investment management, and information security. We have previously reported on the significance of the CIO’s role in improving the government’s performance in IT and related information management functions. Your attention to these recommendations will help ensure the secure and effective use of IT at the agency.

Currently, SSA has 11 open recommendations that call for the attention of the CIOs. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. In addition, GAO has designated one of the 11 as a priority recommendation. Fully implementing these open recommendations agencies. They are highlighted because, upon implementation, they may significantly improve government operations, for example, by realizing large dollar savings; eliminating mismanagement, fraud, and abuse; or making progress toward addressing a high-risk or duplication issue. Since 2015, GAO has sent letters to selected agencies to highlight the importance of implementing such recommendations. Fully implementing these open recommendations could significantly improve SSA’s ability to deter threats and manage its critical systems, operations, and information. I have summarized selected recommendations here. See the enclosure for a full list, and additional details on the recommendations.

Ensuring the Cybersecurity of the Nation. SSA needs to take additional steps to secure the information systems it uses to carry out its mission. Specifically, we recommended that the agency fully implement all event logging requirements as directed by the Office of Management and Budget. Until SSA does so, there is increased risk that the agency will not have complete information from logs on its systems to detect, investigate, and remediate cyber threats.

Improving IT Acquisitions and Management. SSA needs to take steps to improve its IT operations, including developing a complete inventory of telecommunications assets and more consistently tracking software licenses. For example, we recommended that the CIO verify the completeness of SSA’s inventory of current telecommunications assets, and establish a process for ongoing maintenance of the inventory. Until SSA does so, the agency is more likely to experience delays and increased costs during telecommunications contract transitions. We also recommended that SSA consistently track software licenses that are currently in use and compare its inventories of software licenses in use to purchased licenses. Implementing this recommendation will allow SSA to take advantage of opportunities to reduce costs and better inform its investment decision-making.

Copies of this letter are being sent to the appropriate congressional committees and the Federal CIO. The letter will also be available at no charge on the GAO website at https://www.gao.gov. In addition, we sent a separate letter, related to agency-wide priority recommendations, to theCommissioner of SSA. 

If you have any questions or would like to discuss any of the recommendations outlined in this letter, please do not hesitate to contact me at marinosn@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this letter. Our teams will continue to coordinate with your staff on addressing these 11 open recommendations that call for the attention of the CIOs. I appreciate SSA’s continued commitment and thank you for your personal attention to these important recommendations.

Nick Marinos

Managing Director

Information Technology and Cybersecurity