1 OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A AUDIT REPORT
2 Mission By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public. Authority The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to: Conduct and supervise independent and objective audits and investigations relating to agency programs and operations. Promote economy, effectiveness, and efficiency within the agency. Prevent and detect fraud, waste, and abuse in agency programs and operations. Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations. Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations. To ensure objectivity, the IG Act empowers the IG with: Independence to determine what reviews to perform. Access to all information necessary for the reviews. Authority to publish findings and recommendations based on the reviews. Vision We strive for continual improvement in SSA s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
3 SOCIAL SECURITY MEMORANDUM Date: June 1, 2012 Refer To: To: The Commissioner From: Inspector General Subject: Contractor Security of the Social Security Administration s Homeland Security Presidential Directive 12 Credentials (A ) OBJECTIVE The objective of our review was to assess the Social Security Administration s (SSA) contractor process for safeguarding Homeland Security Presidential Directive 12 (HSPD-12) 1 credentials and the personally identifiable information (PII) 2 contained on them. BACKGROUND HSPD-12 defines a common identification standard for Federal employees and contractors. HSPD-12 requires the development and implementation of a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal agencies to their employees and contractors so that they can gain physical access to federally controlled facilities or logical access to federally controlled information systems. 3 OMB designated the General Services Administration (GSA) as the executive agent for the Government-wide acquisition of information technology products and services 1 HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, Office of Management and Budget (OMB) Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 2006, page 1, defines PII as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual. 3 HSPD-12, supra.
4 Page 2 - The Commissioner required to implement HSPD When developing blanket purchase agreements for HSPD-12 products and service acquisitions, GSA is to ensure all approved suppliers provide products and services that meet all applicable Federal standards and requirements. 5 Federal agencies and departments are encouraged to use the acquisition services GSA provides. 6 As the executive agent for HSPD-12 acquisitions, GSA develops a contractual relationship with the supplier. Federal agencies develop and send Statements of Work (SoW) 7 containing contract requirements to GSA. GSA uses the SoW as a contract to procure the products and services on behalf of the Federal agencies. For instance, SSA worked with GSA to contract with a company that provided security and identity solutions and services based on smart card technologies to create the HSPD-12 credentials. 8 GSA served as SSA s contracting officer for the contract the Agency used to acquire the HSPD-12 credentials. 9 SSA required that the contractor produce the smart cards for SSA s credentials and personalize the surface of the credential with the employee or contractor s full name and photograph, card s expiration date, card s identification number, and issuer s identification number. 10 The contractor created the credentials and delivered them to over 1,600 SSA locations nationwide. In the United States, the contractor has one facility to manufacture the credentials and another facility to personalize them. (See Appendix C for detailed description of the credential creation process.) 4 OMB, M-05-24, Implementation of HSPD Policy for a Common Identification Standard for Federal Employees and Contractors, Attachment A 5.B, page 8 (August 5, 2005). 5 Id. 6 Id. 7 SSA s Project Resource Guide glossary defines SoW as a document that outlines the specific supplies and services the project team wants delivered by a prospective contractor. The content of the SoW determines the type of contract that is awarded, influences the number and quality of proposals received, and serves as a baseline against which to evaluate proposals, and later, contractor performance. 8 GSA Contract Number GS03T09DSC6003, Solicitation Number R , (June 11, 2009). 9 Id. 10 SoW, Social Security Administration, SSA PIV II Cards R , Section 2.3.3, page 3.
5 Page 3 - The Commissioner The Federal Information Security Management Act of 2002 (FISMA) requires that each Federal agency provide information security protections for (i) information collected or maintained by, or on behalf of, the agency and (ii) information systems used or operated by an agency or a contractor of an agency or other organization on behalf of an agency. 11 Federal agencies must ensure their contractors comply with FISMA and related policy requirements 12 and include those requirements in contracts and grants. 13 In addition, HSPD-12 guidance 14 requires that Personal Identity Verification 15 (PIV) service providers use systems that are certified 16 according to Federal security standards, so all cards are issued by providers whose reliability has been appropriately accredited. Finally, OMB requires that agencies properly safeguard PII that is accessed remotely or physically transported outside an agency s secured, physical perimeter. 17 To achieve our objective, we reviewed the Agency s contract and visited two contractor sites to view the contractor s HSPD-12 credential production, personalization, and packaging and shipping processes. 11 Pub. L. No , Title III, Section (a)(1)(A), 44 U.S.C. 3544(a)(1)(A). FISMA requires that the head of each agency be responsible for providing protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of such information and systems. 12 According to OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, Frequently Asked Questions, Question 38, page 14 (September 14, 2011), Federal agencies must ensure their contractors abide by FISMA requirements. 13 OMB, M-11-33, supra, Frequently Asked Questions, Question 41, page According to Federal Information Processing Standards Publication (FIPS Pub.) 201-1, Personal Identity Verification of Federal Employees and Contractors, March 2006, Appendix B, Section B.2, p. 64, to accomplish the accreditation of PIV service providers and meet compliance with OMB Circular A-130, App. III, the Information Technology system(s) used by PIV service providers must be certified in accordance with NIST Special Publication (SP) , Guide for the Security Certification and Accreditation of Federal Information Systems. 15 NIST, SP , Guidelines for the Accreditation of Personal Identity Verification Card Issuers, Executive Summary, page 1, (June 2008), states that PIV specifications are to be used as a foundation for securely identifying every individual seeking access to valuable and sensitive Federal resources, including buildings, information systems, and computer networks. 16 NIST, SP was revised to effectively include the certification and accreditation process as security authorization. See NIST, SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, pages B-1 and B-8 (February 2010). 17 OMB, M-06-16, Protection of Sensitive Agency Information (June 23, 2006).
6 Page 4 - The Commissioner RESULTS OF REVIEW Our interviews and observations found nothing to indicate the contractor s HSPD-12 credential manufacturing and personalization process had any physical and logical security control vulnerabilities 18 used to protect the HSPD-12 credentials and the PII contained in them. However, we did identify two contractor oversight concerns and two contract management issues that we want to bring to your attention. Contractor Oversight o SSA did not ensure the contractor personnel received appropriate training to safeguard Agency PII. o The contractor s information systems were not certified and accredited, as required by Federal guidance. Contract Management o SSA s GSA contract did not contain all the appropriate security clauses. o The contractor did not have a back-up facility in the United States, as required by the contract. We discussed the contract management issues with SSA management and GSA s contracting officer. Based on our discussions, it is unclear which party is responsible for resolving these issues; therefore, we plan to submit our concerns to GSA s Office of Inspector General in a separate memorandum. SSA DID NOT ENSURE CONTRACTOR PERSONNEL RECEIVED APPROPRIATE TRAINING TO SAFEGUARD AGENCY PII SSA did not ensure contractor personnel received appropriate training, such as user awareness training and training on safeguarding PII. During our review, we identified three contractor personnel who had regular access to SSA files that contained PII. When asked, contractor personnel could not identify specific policy or procedures that should be used in the event of a loss of PII. Contractor personnel received security training when they are hired and annual refresher training. However, the majority of the training was on physical security controls, not PII protection. Although SSA established policies and procedures for PII protection, it did not ensure the contractor understood its responsibilities to safeguard PII. Without proper training on the Agency s policies and procedures, contractor personnel will not be aware of the expected responsibilities to protect PII, which unnecessarily places SSA s data at a higher risk of harm. 18 The physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are security guards, picture identification, and locked/dead-bolted doors. Logical controls are tools used for identification, authentication, authorization, and accountability in computer information systems.
7 Page 5 - The Commissioner Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed with relation to contractor services. 19 Agencies must ensure the contractor implements identical, not "equivalent," security procedures. 20 Furthermore, since SSA is a PIV card issuer, 21 it is responsible for the management and oversight of contractor services. 22 Specifically, the Agency is responsible for ensuring the contractor personnel receive appropriate training, such as user awareness training and training on agency policy and procedures. 23 CONTRACTOR S INFORMATION SYSTEMS WERE NOT CERTIFIED AND ACCREDITED, AS REQUIRED BY FEDERAL GUIDANCE SSA did not perform a certification and accreditation (C&A) 24,25 review of the contractor s information systems or obtain assurance from GSA or the contractor that an appropriate C&A had been performed, as required by NIST SP , Guidelines for the Accreditation of Personal Identity Verification Card Issuers, 26 and FIPS Pub , Personal Identity Verification of Federal Employees and Contractors. 27 Agency officials stated that GSA, as the executive agent appointed by OMB, provided a certified list of vendors that met all Federal requirements. SSA has accepted this certification and believes that the vendor has met all the needed FISMA requirements. It was not apparent that the GSA certification also incorporated FISMA requirements. To that end, we asked GSA whether it had performed a C&A review on the contractor s systems as well as requested any related C&A documentation. To date, GSA has not provided us any of the requested information. 19 OMB, M-11-33, supra, Frequently Asked Questions, Question 40, pages 15 and Id. 21 According to NIST, SP , supra at page 8, PIV Card Issuer includes all functions required to produce, issue, and maintain PIV Cards for an organization. 22 NIST, SP , supra at 2.1, page OMB, M-11-33, supra, Frequently Asked Questions, Question 40, pages 15 and FIPS, Pub , supra, at Appendix B, Section B.2, page NIST, SP , Revision 1, supra at pp. B-1 and B-8, defines the security authorization as The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. 26 NIST SP states PIV Card Issuer information systems are certified in accordance with NIST SP , Appendix G, page FIPS, Pub , supra, at Appendix B, section B.2, page 64. Also, see Footnote 13.
8 Page 6 - The Commissioner FISMA requires that agencies ensure contractors handling Federal information or operating information systems on the Government s behalf meet the same security requirements as Federal agencies. 28 OMB requires that agencies obtain sufficient assurance that security controls over contractor systems are effectively implemented and comply with Federal and agency guidelines. 29 The Agency is responsible for ensuring the contractor s information systems meet Federal security requirements. Therefore, SSA should have obtained evidence of a proper C&A review from GSA or the contractor. As a result of SSA not obtaining the aforementioned evidence, the Agency may not have been fully aware of the contractor s risks and whether effective security controls were implemented at the contractor s facility. During our discussions with the contractor personnel, they stated the company had conducted periodic security reviews to meet other client s security requirements. We requested the contractor provide security requirements it deploys when providing similar services to other clients. Our goal was to compare those requirements to Federal security standards; however, the contractor could not provide this documentation because of non-disclosure agreements with other clients. Instead, the contractor provided documentation that demonstrated how it met the clients security requirements for the past 2 years. Although it appears the contractor met its other clients security requirements, we were unable to determine whether the security measures deployed by the contractor met Federal security standards. It should be noted that the contractor s services to other clients involve sensitive personal information similar to that of SSA. We recommend SSA request documentation from GSA that the contractor s information systems are certified and accredited as required by Federal requirements. However, if GSA did not perform a C&A review of the contractor s information systems, SSA should seek guidance from OMB to determine which agency is responsible for conducting this review of the contractor s information systems. 28 Pub. L. No , Title III, Section (a)(1)(A)(ii). Also, see OMB, M-11-33, supra, Frequently Asked Questions, Question 40, page Department of Homeland Security (DHS), FY 2011 Inspector General Federal Information Security Management Act Reporting, Version 1.0, question 10.a(2) (June 1, 2011). In July 2010, DHS began exercising primary responsibility within the executive branch for the operational aspects of Federal cybersecurity with respect to the Federal information systems that fall within FISMA under 44 U.S.C DHS provided Fiscal Year (FY) 2011 FISMA reporting instructions to Federal Chief Information Officers, Inspectors General, and Senior Agency Officials for Privacy. OMB, M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security, pages 1 and 2, July 6, Also, see M-11-33, supra, page 1.
9 Page 7 - The Commissioner CONCLUSION AND RECOMMENDATIONS Based on our interviews and observations, nothing came to our attention that indicated the contractor s card manufacturing and personalization process had any vulnerability in its physical and logical security controls used to protect the HSPD-12 credentials and the PII contained on them. However, we did identify some management oversight concerns that we wanted to bring to your attention to help ensure the continued security of the Agency s HSPD-12 credentials. Because of these concerns, we recommend SSA: 1. Ensure contractor personnel receive appropriate training on Agency s policies and procedures for safeguarding PII. 2. Request documentation from GSA that the contractor s information systems are certified and accredited as required by Federal requirements. However, if GSA did not perform a C&A review of the contractor s information systems, SSA should seek guidance from OMB to determine which agency is responsible for conducting this review on the contractor s information systems. AGENCY COMMENTS AND OIG RESPONSE SSA agreed with our recommendations. See Appendix D for the Agency s comments. Patrick P. O Carroll, Jr.
10 Appendices APPENDIX A Acronyms APPENDIX B Scope and Methodology APPENDIX C Homeland Security Presidential Directive 12 Creation Process APPENDIX D Agency Comments APPENDIX E OIG Contacts and Staff Acknowledgments
11 Appendix A Acronyms C&A Certification and Accreditation DHS Department of Homeland Security FIPS PUB. Federal Information Processing Standards Publication FISMA Federal Information Security Management Act of 2002 FY Fiscal Year GSA General Services Administration HSPD-12 Homeland Security Presidential Directive 12 NIST National Institute of Standards and Technology OMB Office of Management and Budget PII Personally Identifiable Information PIV Personal Identity Verification Pub. L. No. Public Law Number SoW Statement of Work SP Special Publication SSA Social Security Administration U.S.C. United States Code
12 Appendix B Scope and Methodology To meet the objectives of our review, we performed the following procedures. 1. Reviewed the General Service Administration s contract document (Contract Number GS03T09DSC6003), Statement of Work, Social Security Administration, SSA PIV II Cards, R to determine whether the Social Security Administration (SSA) included all appropriate security and contract clauses in the contract. 2. Observed SSA s process for transferring Agency employee and contractor personally identifiable information (PII) 1 to the contractor s system to determine whether the transfer complied with SSA and Federal requirements. 3. Conducted on-site visits of the contractor s Homeland Security Presidential Directive 12 (HSPD-12) credentials production, personalization, and packaging and shipping processes at two contractor sites. We observed the creation of the HSPD- 12 credentials and observed the contractor s physical and logical security controls implemented to protect SSA s credentials. We visited two of the contractor s facilities: the manufacturing site and the personalization facility in the United States. No testing of the contractor s physical and logical security controls was performed. 4. Compared and assessed the contractor s process to safeguard PII to relevant Federal laws, regulations, standards, and guidelines. We also reviewed the following. The Privacy Act of 1974, as amended, 5 U.S.C. 552a; The Federal Information Security Management Act of 2002; 44 U.S.C et seq.; Office Management and Budget (OMB) Memorandum M-05-24, Implementation of HSPD-12--Policy for a Common Identification Standard for Federal Employees and Contractors, August 5, 2005; Attachment B HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; OMB, M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, September 14, 2011; 1 OMB, Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 2006, page 1, defines PII as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. B-1
13 OMB, M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007; OMB, M-06-16, Protection of Sensitive Agency Information, June 23, 2006; OMB, M-03-22, Office of Management and Budget Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003; General Services Administration Federal Supply Service Memorandum, Acquisition of Products and Services for Implementation of HSPD-12, August 10, 2005; OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, 1996; Federal Information Processing Standards Publication 201-1, Personal Identity Verification of Federal Employees and Contractors, March 2006; National Institute of Standards and Technology (NIST) Special Publication (SP) , Revision 3, Recommended Security Controls of Federal Information Systems and Organizations, August 2009; NIST, SP , Guidelines for the Accreditation of Personal Identity Verification Card Issuers, June 2008; NIST, SP , Guide to Protecting the Confidentiality of PII, April 2010; and NIST, SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, February We performed our fieldwork at SSA s contractor facilities and Headquarters from June through September We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. B-2
14 Appendix C Homeland Security Presidential Directive -12 Creation Process As part of the credential creation process, the Social Security Administration (SSA) electronically transmits data files 1 containing personally identifiable information to the contractor. The data files are transmitted through an encrypted channel. 2 Once the contractor receives the data files, the pre-manufactured credential is personalized. In turn, the contractor ships the credentials via Federal Express to SSA. Once received, SSA adds additional information 3 to the credential before issuing it to the appropriate employee or contractor. See the diagram below. 1 The files contain SSA employee or contractor s first name, middle initial, last name, card expiration date, agency affiliation, and photograph. 2 SSA used Secure Shell to interact with the contractor s card production system. Secure Shell provides a secure data communication between two networked computers that connects through a secure channel. 3 SSA downloads electronic certificates for authentication purposes onto the credentials.
15 Agency Comments Appendix D
16 SOCIAL SECURITY MEMORANDUM Date: May 24, 2012 Refer To: S1J-3 To: From: Patrick P. O Carroll, Jr. Inspector General Dean S. Landis /s/ Deputy Chief of Staff Subject: Office of the Inspector General Draft Report, Contractor Security of the Social Security Administration s Homeland Security Presidential Directive 12 Credentials (A ) INFORMATION Thank you for the opportunity to review the draft report. Please see our attached comments. Please let me know if we can be of further assistance. You may direct staff inquiries to Amy Thompson at (410) Attachment D-1
17 COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT, CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS (A ) Recommendation 1 Ensure contractor personnel receive appropriate training on Agency s policies and procedures for safeguarding PII. Response We agree. We will provide the contractor with appropriate policies and training materials on safeguarding personally identifiable information. Recommendation 2 Request documentation from GSA that the contractor s information systems are certified and accredited as required by Federal requirements. However, if GSA did not perform a C & A review of the contractor s information systems, SSA should seek guidance from OMB to determine which agency is responsible for conducting this review on the contractor s information systems. Response We agree. D-2
18 OIG Contacts and Staff Acknowledgments OIG Contacts Appendix E Brian Karpe, Director, Information Technology Audit Division Grace Chi, Audit Manager Acknowledgments In addition to those named above: Tina Nevels, Auditor For additional copies of this report, please visit our Website at or contact the Office of the Inspector General s Public Affairs Staff at (410) Refer to Common Identification Number A
19 DISTRIBUTION SCHEDULE Commissioner of Social Security Chairman and Ranking Member, Committee on Ways and Means Chief of Staff, Committee on Ways and Means Chairman and Ranking Minority Member, Subcommittee on Social Security Majority and Minority Staff Director, Subcommittee on Social Security Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives Chairman and Ranking Minority Member, Committee on Oversight and Government Reform Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, House of Representatives Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate Chairman and Ranking Minority Member, Committee on Finance Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy Chairman and Ranking Minority Member, Senate Special Committee on Aging Social Security Advisory Board
20 Overview of the Office of the Inspector General The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program. Office of Audit OA conducts financial and performance audits of the Social Security Administration s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA s financial statements fairly present SSA s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public. Office of Investigations OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies. Office of the Counsel to the Inspector General OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program. Office of External Relations OER manages OIG s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG s media and public information policies, directs OIG s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence. Office of Technology and Resource Management OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACT WITH DELL MARKETING, L.P., FOR MICROSOFT LICENSING AND MAINTENANCE September 2011 A-06-10-10175 AUDIT REPORT Mis s ion By conducting
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION THE SOCIAL SECURITY ADMINISTRATION S RECOVERY ACT-FUNDED CONTRACT WITH INTERNATIONAL BUSINESS MACHINES, INC., BLANKET PURCHASE AGREEMENT SS00-08-40004,
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION THE PHYSICAL SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S CONTRACTOR OWNED AND OPERATED OFF-SITE STORAGE FACILITY September 2012 A-14-12-11227
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION THE IMPACT ON NETWORK SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S OPERATING SYSTEMS CONVERSIONS September 2004 A-14-04-24019 AUDIT REPORT
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION IMPROPERLY TITLED BANK ACCOUNTS FOR BENEFICIARIES WITH REPRESENTATIVE PAYEES March 2011 A-01-09-19055 AUDIT REPORT Mis s ion By conducting
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION FOLLOW-UP: THE SOCIAL SECURITYADMINISTRATION S MANAGEMENT OF ITS FEDERAL EMPLOYEES COMPENSATION ACT PROGRAM March 2008 A-13-07-17074 AUDIT
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION THREATS AGAINST SOCIAL SECURITY ADMINISTRATION EMPLOYEES OR PROPERTY November 2010 A-06-10-20123 EVALUATION REPORT Mis s ion By conducting
SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Inquiries about this report may be addressed
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION UNIVERSITIES USE OF SOCIAL SECURITY NUMBERS AS STUDENT IDENTIFIERS IN REGION X March 2005 A-08-05-15033 AUDIT REPORT Mission We improve SSA
OFFICE OF INSPECTOR GENERAL Audit Report Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security Report No. 08-04 September 26, 2008 RAILROAD RETIREMENT BOARD INTRODUCTION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL INFORMATION SECURITY AT THE HEALTH RESOURCES AND SERVICES ADMINISTRATION NEEDS IMPROVEMENT BECAUSE CONTROLS WERE NOT FULLY IMPLEMENTED
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE INFORMATION TECHNOLOGY INFRASTRUCTURE AND OPERATIONS OFFICE HAD INADEQUATE INFORMATION SECURITY CONTROLS Inquires about this report
Audit Report The Social Security Administration s Internal Controls over Issuing and Monitoring Contractors Homeland Security Presidential Directive-12 Credentials A-15-11-11178 April 2013 MEMORANDUM Date:
OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment EPA Needs to Strengthen Its Privacy Program Management Controls Report No. 2007-P-00035 September 17, 2007 Report Contributors:
THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE FORWARD I am pleased to introduce the mission and authorities of the Office of Inspector General for the Farm Credit Administration. I hope this
Identity and Access Management Initiatives in the United States Government Executive Office of the President November 2008 Importance of Identity Management within the Federal Government "Trusted Identity"
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE CENTERS FOR MEDICARE & MEDICAID SERVICES IMPLEMENTATION OF SECURITY CONTROLS OVER THE MULTIDIMENSIONAL INSURANCE DATA ANALYTICS SYSTEM
PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it
I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255
Department of Defense DIRECTIVE NUMBER 5400.11 October 29, 2014 DCMO SUBJECT: DoD Privacy Program References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues DoD Directive (DoDD) 5400.11 (Reference
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL CMS DID NOT ALWAYS MANAGE AND OVERSEE CONTRACTOR PERFORMANCE FOR THE FEDERAL MARKETPLACE AS REQUIRED BY FEDERAL REQUIREMENTS AND CONTRACT
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
U.S. Department of Education Office of Inspector General Five-Year Strategic Plan Fiscal Years 2014 2018 Promoting the efficiency, effectiveness, and integrity of the Department s programs and operations
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL NOT ALL COMMUNITY SERVICES BLOCK GRANT RECOVERY ACT COSTS CLAIMED ON BEHALF OF THE COMMUNITY ACTION PARTNERSHIP OF NATRONA COUNTY FOR
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING AND CERTIFICATION OF ELECTRONIC HEALTH
2012 FISMA Executive Summary Report March 29, 2013 UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 OI'!'ICEOI' lnstfl! C1'0R GENERAt MEMORANDUM March 29,2013 To: Jeff Heslop, Chief
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
DEPARTMENT OF HOMELAND SECURITY < Office of Inspector General Letter Report: Review of DHS Financial Systems Consolidation Project OIG-08-47 May 2008 Office of Inspector General U.S. Department of Homeland
Audit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02 BACKGROUND OBJECTIVES, SCOPE, AND METHODOLOGY FINDINGS INFORMATION SECURITY PROGRAM AUDIT FOLLOW-UP CATS SECURITY PROGRAM PLANNING
Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief
AUGUST 16, 2013 Privacy Impact Assessment CIVIL PENALTY FUND AND BUREAU-ADMINISTERED REDRESS PROGRAM Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
DEPARTMENT OF HEALTH & HUMAN SERVICES Office of Inspector General Office of Audit Services, Region VII 601 East 12 th Street, Room 0429 Kansas City, MO 64106 May 12, 2011 Report Number: A-07-11-00362 Mr.
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
INFORMATION SECURITY Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2 Office of the Inspector General U.S. Government Accountability Office Report Highlights February 2013 INFORMATION
Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate
This document is scheduled to be published in the Federal Register on 02/11/2016 and available online at http://federalregister.gov/a/2016-02788, and on FDsys.gov Billing Code: 5001-06 DEPARTMENT OF DEFENSE
PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE U.S. Department of Justice Office of the Inspector General Audit Division Audit Report 05-32 July 2005 PROCESSING CLASSIFIED
FITSP-Auditor Candidate Exam An Overview of the FITSP-A Certification 2010 Edition Copyright 2009-2010 FITSI 1 FITSP-Auditor Candidate Exam This page is left intentionally blank Copyright 2009-2010 FITSI
Audit Report The Social Security Administration s Process to Identify and Monitor the Security of Hardware Devices Connected to its Network A-14-13-13050 October 2013 MEMORANDUM Date: October 1, 2013 Refer
Audit Report Performance Indicator Audit: Minimize Average Wait Time for Initial Disability Claims A-07-14-24004 January 2015 MEMORANDUM Date: January 30, 2015 Refer To: To: From: The Commissioner Inspector
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Improvements Are Needed to the Information Security Program March 11, 2008 Reference Number: 2008-20-076 This report has cleared the Treasury Inspector
OFFICE OF INSPECTOR GENERAL Special Report Catalyst for Improving the Environment Fiscal Year 2007 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report No.
Page 2 Kerry Weems perform cost settlements to ensure that future final payments for school-based services are based on actual costs. In written comments on our draft report, the State agency concurred
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
Cloud Computing Contract Clauses Management Advisory Report Report Number SM-MA-14-005-DR April 30, 2014 Highlights The 13 cloud computing contracts did not address information accessibility and data security
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR M-05-24 August 5, 2005 MEMORANDUM FOR THE HEADS OF ALL DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua
PRIVACY IMPACT ASSESSMENT Submit in Word format electronically to: Linda Person (firstname.lastname@example.org) Office of Environmental Information System Name: The Inspector General Enterprise Management System
Department of Homeland Security Office of Inspector General Review of U.S. Coast Guard Enterprise Architecture Implementation Process OIG-09-93 July 2009 Contents/Abbreviations Executive Summary...1 Background...2
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL OREGON PROPERLY VERIFIED CORRECTION OF DEFICIENCIES IDENTIFIED DURING SURVEYS OF NURSING HOMES PARTICIPATING IN MEDICARE AND MEDICAID
Privacy Impact Assessment For: Education Investigative Tracking System (EDITS) Date: April 10, 2013 Point of Contact: Hui Yang System Owner: Wanda A. Scott Author: William Hamel Office of Inspector General
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key
United States Government Accountability Office Report to Congressional Requesters June 2014 INFORMATION SECURITY Additional Oversight Needed to Improve Programs at Small Agencies GAO-14-344 June 2014 INFORMATION
AUDIT REPORT REPORT NUMBER 14 08 Information Technology Professional Services Oracle Software March 25, 2014 Date March 25, 2014 To Chief Information Officer Director, Acquisition Services From Inspector
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL MEDICARE INAPPROPRIATELY PAID HOSPITALS INPATIENT CLAIMS SUBJECT TO THE POSTACUTE CARE TRANSFER POLICY Inquiries about this report may
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Fiscal Year 2015 Statutory Review of Restrictions on Directly Contacting Taxpayers July 7, 2015 Reference Number: 2015-30-061 This report has cleared the
Federal Election Commission Office of Inspector General Fiscal Year 2014 Work Plan Lynne A. McFarland Inspector General TABLE OF CONTENTS A Message from the Inspector General--------------------------------------------
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure May 18, 2010 Reference Number: 2010-20-051 This report
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL COSTS CHARGED TO HEAD START PROGRAM ADMINISTERED BY ROCKINGHAM COMMUNITY ACTION, INC. DECEMBER 2003 A-01-03-02500 Office of Inspector
Office of Audits Office of Inspector General U.S. General Services Administration PBS is not Enforcing Contract Security Clearance Requirements on a Project at the Keating Federal Building Report Number
Department of Veterans Affairs VA Directive 0710 Washington, DC 20420 Transmittal Sheet June 4, 2010 PERSONNEL SECURITY AND SUITABILITY PROGRAM 1. REASON FOR ISSUE: To revise Department of Veterans Affairs
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR August 6, 2003 M-03-19 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
PROCUREMENT Actions Needed to Enhance Training and Certification Requirements for Contracting Officer Representatives OIG-12-3 Office of Inspector General U.S. Government Accountability Office Report Highlights
Information Technology Management Letter for the U.S. Citizenship and Immigration Services Component of the FY 2014 Department of Homeland Security Financial Statement Audit March 17, 2015 OIG-15-43 HIGHLIGHTS
For Person Authentication Service (PAS) Date: January 9, 2015 Point of Contact and Author: Hanan Abu Lebdeh Hanan.Abulebdeh@ed.gov System Owner: Ganesh Reddy Ganesh.Reddy@ed.gov Office of Federal Student