Statement of Carolyn W. Colvin,
Acting Commissioner,
Social Security Administration

Testimony before the House Committee on Oversight and Governmental Reform on the Agency's Information System's Review,


May 26, 2016

Chairman Chaffetz, Ranking Member Cummings, and Members of the Committee, thank you for inviting us to discuss information technology (IT) and security at the Social Security Administration (SSA), including our agency’s compliance with the Federal Information Security Management Act (FISMA) and the Committee’s scorecard on the Federal Information Technology Acquisition Reform Act (FITARA).

I will focus my testimony on providing an overview of the programs that we administer, describing in brief how IT supports our mission, our IT investment process, cybersecurity, and the need for a multi-year IT modernization effort. Mr. Klopp, our Deputy Commissioner for Systems and Chief Information Officer, will discuss how we invest in and manage IT, consistent with the principles of FITARA, and our plans to modernize our IT infrastructure. Ms. Marti Eckert, our Chief Information Security Officer, will summarize our cybersecurity efforts, and our compliance with FISMA.

At the outset, let me emphasize that investing wisely in technology is one of our top critical priorities as we work to deliver smarter, secure, and more efficient service. We have consistently used our IT resources to help us efficiently and effectively deliver benefit payments and other services to millions of Americans each year. Yet we have major challenges before us. We have a significantly aged IT infrastructure, which is increasingly difficult and expensive to maintain. In addition, we must dedicate substantial resources to ensuring the security and integrity of our IT systems and the vital data that we maintain. While I am confident in the abilities of our employees to handle these challenges, I must emphasize that we need a multi-year investment to make essential improvements to modernize our systems.

Overview of SSA

I would like to describe briefly the programs that we administer. Old-Age, Survivors, and Disability Insurance (OASDI) (or “Social Security”) is a social insurance program, under which workers earn coverage for retirement, survivors, and disability benefits by working and paying Social Security taxes on their earnings.

We also administer the Supplemental Security Income (SSI) program, which provides monthly payments to people with limited income and resources who are aged, blind, or disabled. Adults and children under the age of 18 can receive payments based on disability or blindness. General tax revenues fund the SSI program.

Few government agencies touch as many people as we do. Social Security pays monthly benefits to more than 59 million individuals, consisting of 39 million retired workers and 3 million of their spouses and children; 9 million workers with disabilities and 2 million dependents; and 6 million surviving widows, children, and other dependents of deceased workers. We provide SSI benefits to over 8 million recipients.

The scope of our work is immense. In FY 2015, we:

• Handled approximately 37 million calls on our National 800 Number;
• Served about 40 million visitors in our 1,200 field offices nationwide;
• Completed over 8 million claims for benefits and more than 660,000 hearing dispositions;
• Handled over 35 million changes to beneficiary records;
• Issued about 16 million new and replacement Social Security cards;
• Performed almost 2 billion automated Social Security number verifications;
• Posted about 266 million wage reports;
• Handled over 18,000 cases in Federal District Courts;
• Completed over 2.2 million SSI non-medical redeterminations;
• Completed 799,000 full medical CDRs; and
• Completed approximately 3 million overpayment actions.

We handle all of this work with considerable efficiency. At approximately 1.3 percent of our total outlays, SSA’s administrative expenses continue to be a small fraction of overall program spending, demonstrating the agency’s cost-conscious approach to managing its resources.

The Role of IT at SSA

IT plays a critical role in our day-to-day operations. We use most of our IT funding for ongoing operational costs such as our National 800 Number service and our online services, both of which help us keep pace with the recent increases in claims. In FY 2015, our IT infrastructure supported the payment of more than $930 billion in benefits to nearly 67 million people and the maintenance of hundreds of millions of Social Security numbers and related earnings records for nearly every
American.

We are exploring and developing ways we can expand our online customer base. Each year, we see greater numbers of people across all demographic segments doing business with us online. Since we launched my Social Security in 2012, over 24.5 million customers have created accounts. In FY 2015, customers continued to increase their use of our online services to conduct business with us as they completed over 87 million transactions via our website. In FY 2015, we received more than half of all Social Security retirement and disability applications online, including 75 percent of Medicare applications.

Customer satisfaction with our online services also continues to shine, as five of the top ten ranked Federal websites were SSA online customer service products, according to the 2015 ForeSee e-Government Report Card. We will continue to enhance our online services and promote them as a safe and convenient service option to increase usage and reduce unnecessary field office visits. Our goal is to increase the volume of online transactions by 25 million each year, which would
result in 112 million transactions in FY 2016 and 137 million in FY 2017. With increased usage of online services, we can free up more time for customers that need or prefer to complete business with us in person.

We continue to increase the services available on our online my Social Security portal. Individuals may access their Social Security Statement at any time through their personal online my Social Security account. In 2015, we added several new services to our my Social Security portal including replacement Medicare Card services, and the capability for my Social Security users to download data from their Social Security Statement to assist them in financial and retirement planning. Other online service efforts include a successful limited rollout – up to eight States and the District of Columbia over the last year– of a secure Internet Social Security Number Replacement Card application for eligible U.S. citizens age 18 and over. We expect to expand this service to other States in the near future.

In this calendar year, we are enhancing our online my Social Security service so that it is more compatible with mobile devices to improve service to that fast-growing segment of the user community. In addition, we are developing new customer engagement tools including Click-to- Chat and a Message Center for relaying informational messages to my Social Security users. Other services include the development of a Smart Claim application that will allow our customers to get a detailed status on their benefit applications within my Social Security. We will later expand Smart Claim to include online service options for SSI claimants as well.

IT Investment

While we have always been an efficient organization, with low administrative expenses, I fully appreciate that SSA must continually strive to improve how it invests resources, particularly in IT. Consequently, transforming the information technology investment process has been one of my highest priorities as Acting Commissioner. Over the last year, we have developed an IT Investment Process (ITIP) that will improve the way we manage and invest in IT at SSA.

Consistent with FITARA, ITIP will focus on up-front project planning with outcomes tied to specific agency goals. Improved project planning and documentation will allow us to assess project costs and timelines with greater accuracy. In addition, an enterprise-wide executive IT investment board will meet throughout the year to make informed funding decisions on projects that provide the greatest benefit to our agency’s mission. As a result, we will be better able to deliver the right
project on time and within budget, and provide the best tools for our employees and superior service to the American public.

In addition to improving how we invest in IT, we also are taking steps to ensure that we are recruiting the best talent and exploring the latest methods in the world of IT. To that end, last year I selected Rob Klopp to serve as our Deputy Commissioner of Systems and our Chief Information Officer. Mr. Klopp has impressive private industry expertise in leading technology change and balancing that change with reliable service delivery. In addition, we are working to build a digital services team that will bring private sector best practices into the disciplines of design, software engineering, and product management to maximize the agency’s most important services. Finally, we are using new methods to deliver technology faster, such as Agile development and cloud computing services.

Cybersecurity

Our cybersecurity program continues to increase our detection, protection, and intelligence capabilities for strengthening the agency’s defenses against evolving threats and cyber-attacks. Our program incorporates these security capabilities into a comprehensive, multi-layered defensive approach for ensuring the confidentiality, integrity, and availability of the public’s sensitive personally identifiable information. As we continue to provide new opportunities for better customer service through new online services, we must remain vigilant in continuing to strengthen our cybersecurity program capabilities.

To that end, we proactively try to penetrate our own information systems every day. With ongoing analysis and rigorous testing, we continuously learn more about the ways hackers may try to gain access to our systems, and we continuously devise ways to stop them.

Our cybersecurity program compares well against other Federal departments and agencies in key performance standards. To remain strong, we need to continue to evolve our cybersecurity program to reflect changes in technology, changes to business processes, and changes in the complexity of internal or external threats. Continued investments in cybersecurity projects and initiatives will ensure we have the resources needed to accomplish our agency’s mission and thus maintain public confidence in the agency’s ability to protect their privacy. Marti Eckert, our Chief Information Security Officer, will describe in more detail the steps we take to ensure the security of our information systems.

Additionally, to protect citizens’ personally identifiable information further, we continue to improve authentication for our online services. In compliance with Executive Order 13681 (“Improving the Security of Consumer Financial Transactions”), we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time
passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines. The National Institute of Standards of Technology is working on a revised guideline, and we are providing input into that process.

IT Modernization

I appreciate the Committee’s interest in our efforts to modernize our legacy information systems. The database systems our agency uses today are 40 years old and are no longer the best solution to administer our programs. For several years, we worked to modernize our IT in small pieces at a time, but we have exhausted nearly all of these small efforts. The legacy infrastructure is not sustainable, but these aged systems are the very production tools that our employees rely upon each
day to provide service to the public. We must maintain the legacy systems while, in parallel, developing their replacements. We are now at a point where we must undertake a larger, multiyear effort.

A portion of the fiscal year 2016 appropriation helps to begin the design of the legacy replacement systems. However, we need a sustained, long-term investment to make the changes needed to develop a fully modern IT infrastructure that is capable of supporting the immense responsibilities I described earlier in my testimony. That is why the President’s Budget for FY 2017 requests multiyear funding of $300 million spread over four years, to undertake an IT modernization project
that will bring our systems current. In FY 2017, $60 million is included as part of the FY 2017 President’s Budget. The FY 2017 President’s Budget also contains a mandatory proposal for additional IT modernization funding - $80 million each year in FYs 2018-2020. The project will require effort and investment in several areas including modernization in computer language, database, and infrastructure. Mr. Klopp will describe in greater detail why such a long-term investment is essential.

Conclusion

Thank you for holding this important hearing. I am glad to highlight for you the importance of IT in our administration of the Social Security and SSI programs, and the need to ensure the integrity of our systems and the development of a sound IT investment process. I would be happy to answer any questions you may have.

Carolyn W. Colvin
Acting Commissioner of Social Security

Image of Acting Commissioner, Carolyn W. Colvin


Carolyn W. Colvin believes that there is no greater calling than public service. Putting her own retirement on hold, Ms. Colvin returned to public service at the
request of President Obama to serve as Deputy Commissioner in January 2011. Since February 14, 2013, Ms. Colvin has served as Acting Commissioner. Receiving the President’s vote of confidence to lead the agency, Ms. Colvin was nominated to serve as the Commissioner of the Social Security Administration on June 20, 2014. Named as one of the Baltimore Sun’s 2014 “50 women to Watch,” Ms. Colvin brings more than 30 years of senior executive leadership experience to the agency, having led numerous health and human service organizations at the state and municipal levels of government, including serving in various capacities within Social Security. In addition to her role as Acting Commissioner, Ms. Colvin serves as a member of the Social Security Board of Trustees.

As Acting Commissioner, Ms. Colvin oversees one of the largest agencies in the Federal government, with over 60,000 federal employees nationwide plus another 18,000 state employees who make medical determinations in the disability program. The Social Security Administration is responsible for paying over $800 billion each year in monthly benefits to over 60 million recipients. The agency is also responsible for maintaining the lifetime earnings records of over 165 million workers.

Under Ms. Colvin’s leadership, the agency strives to provide excellent customer service in today’s tight fiscal climate while positioning itself to deliver services in the future that meet the changing needs of the public. Acting Commissioner Colvin’s dedication to public service ensures that the agency provides prompt, accurate, and compassionate service to the American public—whether online, by phone or in a Social Security office. Ms. Colvin consistently reminds the staff that behind every case or number there is a person or family who is depending on the agency for help.

Ms. Colvin received her undergraduate and graduate degrees in Business Administration and an Honorary Doctorate in Public Service from Morgan State University in Baltimore, Maryland. She resides in Odenton, Maryland.

 

____________________________________________________________________________________________________________

Statement of Robert Klopp,
Deputy Commissioner of Systems,
Chief Information Officer,
Social Security Administration

Testimony before the House Committee on Oversight and Governmental Reform on the Agency's Information System's Review,

May 26, 2016

Chairman Chaffetz, Ranking Member Cummings, and Members of the Committee, thank you for inviting me to discuss information technology at the Social Security Administration (SSA), including our agency’s compliance with the Federal Information Security Management Act (FISMA) and implementation of the Federal Information Technology Acquisition Reform Act (FITARA).

In 2015, I was appointed to serve as SSA’s Chief Technology Officer. Acting Commissioner Colvin subsequently appointed me to serve as SSA’s Deputy Commissioner for Systems and Chief Information Officer. Prior to my appointment, I worked for a variety of technology firms based on the West
Coast and in the Silicon Valley. I learned quickly that SSA has a committed and qualified IT workforce that maintains several significant information systems to meet its mission. To provide one measure of this, during fiscal year (FY) 2015, the agency paid more than $930 billion to almost 67 million beneficiaries representing around five percent of the U.S. Gross Domestic Product. The Acting Commissioner’s written testimony provides an overview of how our IT supports our administration of the Social Security and Supplemental Security Income (SSI) programs. To support these payments, and the substantial other work that our agency performs, our total IT expenditure, in FY 2015, including our staff and contractors, was about $1.8 billion.

The SSA faces several IT challenges in the years ahead. The systems that serve our mission are old and they are primarily supported by the staff who developed them 30+ years ago. As this staff retires, the knowledge of these old applications and the knowledge of the legacy infrastructure they are built upon will diminish. We have to modernize these legacy systems before this knowledge is gone. Developing the new capabilities based on new technology to best serve the public is an
expensive proposition if we have to build it upon this aging foundation. We have to modernize these legacy systems to provide these new services at a reasonable cost. In addition, we face threats to the security of the information we store at the Agency. Dealing with these threats requires constant vigilance. We need to modernize our legacy systems to provide the modern infrastructure that incorporates modern cyber defenses. (Ms. Eckert’s testimony describes further our cybersecurity posture and our compliance with FISMA.) Below, I will detail some of the efforts we are making to improve how we invest in IT and our efforts to modernize our IT infrastructure. However, we need adequate and sustained funding from Congress to ensure that we can address these efforts over the long-term.

Implementation of FITARA and IT Investment

Many of our IT modernization and other practices align with the recently passed Federal Information Technology Acquisition and Reform Act, better known as FITARA. FITARA reforms aim to increase Federal CIO authority for IT planning and decision making, enhance management of Federal IT investments, and improve acquisition of IT human capital, products, and services.

We are fully engaged with our responsibilities pursuant to FITARA and the Office of Management and Budget (OMB) guidance to implement the law. We are making enterprise level improvements to important components of our Capital Planning and Investment Control (CPIC) framework including: incorporating new policies and procedures for our IT investment review process; implementing a new integrated CPIC tool to replace a number of dated systems; and
reorganizing several IT governance groups into a single, coordinated component.

FITARA and OMB guidance require agency CIOs to provide OMB on a regular basis information about major IT investments, including rating such investments according to risk. OMB reviewed our evaluations on our IT investments and found us in compliance with its guidance. We continue to revisit our process and rating criteria and our source documentation for improvement opportunities.

I am pleased to report that, over the last year, we developed a new IT Investment Process (ITIP) that will improve the way we manage and invest in IT at SSA. ITIP will focus on up-front project planning with outcomes tied to specific agency goals. Improved project planning and documentation will allow us to assess project costs, risks, and timelines with greater accuracy. In addition, an enterprise-wide executive IT investment board will meet throughout the year to make informed funding decisions on projects that provide the greatest benefit to our agency’s mission. As a result, we will be better able to deliver the right project on time and within budget, and provide the best tools for our employees and superior service to the American public. Finally, the new process will include formal post-implementation reviews that look at the IT implementation process and at the ongoing return-on-investment, planned and actual, of the resulting business applications.

IT Modernization

In the late 1970s and early 1980s, because of the massive scale of our operations, SSA was aggressively developing systems and databases to store information about tens of millions of citizens. These systems were leading edge systems that pushed the state of the art in the 1980s.

Today, these legacy systems are out-of-date, and the cost required to bring them to a modern state represents a technical debt that accrues interest with each passing year. Their complexity makes it costly and challenging to add the functionality needed to meet the continually evolving requirements placed on us by the Administration, Congress and the people we serve. The extra cost of building on these aging systems represents part of this technical debt. Our university systems generally are no longer teaching the mainframe computer application languages, development, and operating environment, and the Federal staffs who developed and maintained these systems are retiring. As a result, the interest payments on this 30-year-old technical debt are compounding, and in the next five years, we could face a crisis keeping our systems running.

Generally, our approach to modernizing our major IT systems has been to replace components of systems rather than the system as a whole. This approach tends to reduce risk by reducing interdependencies in a single development effort and by reducing the scope of the modernization effort.

For several years, we have chipped away at the legacy code base as we add new business functionality, reducing our technical debt. This incremental and opportunistic approach worked well given the ebb and flow of annual funding. However, we are at a point where this approach is no longer viable; technology is advancing faster than we can incrementally modernize. As a result, we have to undertake larger, multiyear tasks. To that end, we are focusing our efforts in three primary broad areas: database modernization, code modernization, and infrastructure modernization.

Our first broad area of focus is core database systems. Because of limitations in the technology available when our databases were designed, all updates were managed via a sequential, batch process that applied updates queued during the day. Modern databases update in real time. In addition, legacy databases were designed around specific applications rather than organized around data subjects. This creation of data silos makes adding broad agency-wide capabilities difficult and expensive. In the last year, we have started to re-organize our data into a modern architecture and began development of a framework to allow real-time updates. Unfortunately, all the legacy code base that we have becomes the issue.

Therefore, our second broad area of focus is modernizing that legacy code. Our efforts here are designed to address the complexity and pre-modern design of our oldest systems. We are exploring ways to capture value from the legacy code base, either through a code migration or by capturing the “gist” of the business rules. We are exploring different options, including “buy” as opposed to “build.” We are also aggressively moving to modernize our software engineering tools and skills. In order to modernize the skill of our staff, with the aim of reducing the costs of modernization, we will develop an intensive training program. We have one very significant new project where we are using these skills to develop a brand new system and, so far, the impact is very positive. Finally, we are fully embracing agile development methods. This approach enables us to roll out more quickly new functionality to users while reducing the risk that what we produce will not meet users’ needs.

The third broad area of focus is modernization of our infrastructure. For more than 30 years, we have been predominantly a user of mainframes for our mission-critical systems. For many years, only mainframes could handle our workload. In response to Acting Commissioner Colvin’s direction to push us towards becoming a more data driven enterprise, we are deploying a modern business intelligence eco-system in the cloud. We are working to develop an on premises cloud environment and then a hybrid cloud environment to further enable us to take advantage of the economics of cloud computing. We have also established a Modern Development Environment (MDE) in the Amazon Web Services cloud. MDE is a suite of tools and engineering practices for supporting modern software development.

With our plan to leverage our new data capabilities, development techniques, and infrastructure, we are beginning a fundamental review of how we engage our customers and our employees. Through a new “Customer Connect” initiative, we are considering how better to meet customers experience in 2020. This initiative aims to reconsider not just our technology infrastructure, but to challenge SSA to reassess the business processes that have grown and evolved over the last eighty years.

Conclusion

Before we turn to cybersecurity, I would like to restate the core challenge I see.

As we head into this period where a significant portion of our IT staff becomes eligible for retirement, we need to begin long-term efforts to modernize our infrastructure, our data architecture, and our software intellectual property. We need to accomplish this while we keep the current systems incrementally advancing and while we continue to expand our commitment to cybersecurity.

Because our efforts have to be long-term, we need a stable long-term commitment to fund IT modernization, as discussed in the Acting Commissioner’s testimony. We need funds to enable the modernization in the same way the nation needs funds to modernize other aging infrastructure, such as roads, dams, and the grid.

We look forward to working with Congress to overcome these challenges. Thank you and I would be glad to take any questions.

Robert Klopp
Chief Information Officer and
Deputy Commissioner for Systems

Image of Robert Klopp, Chief Information Officer, Social Security Administration

Rob Klopp is the Chief Information Officer (CIO) for the Social Security Administration. Rob started at the Agency as the Chief Technology Officer in January of 2015 and assumed the role of CIO and Deputy Commissioner of Systems the following August. Rob was recruited by the United States Digital Services team specifically to support the Agency.

He comes to Baltimore from the Silicon Valley where he has worked for both large software enterprises and for smaller start-ups. You may know of some of the start-ups. Greenplum, for example, was acquired by EMC and Teradata is now a leading company in the relational database and data warehouse markets. Rob spent nearly two years based in Switzerland as the EMC/Greenplum CTO for Europe, the Middle East, and Africa. He also worked in the consulting services space for EDS, now part of HP, and for what is now KPMG, as well as in his own boutique consultancy. He founded a little software start-up that was sold to a large database company. Rob started his career out of college in the Government arena with the State of California where he was a mainframe systems programmer.

Within these firms, Rob has filled both technical and executive roles; sometimes facing the engineering and product side of the business and sometimes facing the end-users, but always with both feet grounded in the technology.

Rob also publishes a popular blog on database technology: the Database Fog Blog and is a regular contributor to the blog at the CIO.gov site.

____________________________________________________________________________________________________________

Statement of Marti Eckert,
Chief Information Security Officer,
Social Security Administration

Testimony before the House Committee on Oversight and Governmental Reform on the Agency's Information System's Review,

May 26, 2016

Chairman Chaffetz, Ranking Member Cummings, and Members of the Committee, thank you for inviting me to discuss information security at the Social Security Administration (SSA), including our agency’s compliance with the Federal Information Security Management Act (FISMA) and the Committee’s scorecard on the Federal Information Technology Acquisition Reform Act. As the agency’s Chief Information Security Officer, I support our Chief Information Officer in our agency’s commitment to protect the information we manage and our systems from threats and vulnerabilities.

The security of the personally identifiable information (PII) the agency holds is of the utmost importance, and we take seriously our responsibility to protect the information provided to us by the public we serve. The agency has a strong, proactive approach to the identification and mitigation of risks associated with our online authentication to access public services via the internet, external and internal access to our secure network, and our information and communications assets. While we have strong controls in place, we know that there is no perfect way to lock down any system. In today’s escalating threat environment, every cybersecurity program is a practice of continuous improvement.

Consequently, we continually work to keep pace with advancements in cybersecurity technology. We strengthen our security by remediating gaps in our security posture and institutionalizing and maturing security processes. We take a risk-based approach and leverage current agency processes, as we add layers of defense to improve protections and identify threats. Below, I will discuss in brief our cybersecurity program and some of the measures we are taking to counter potential cyber threats. Given the sensitive nature of this issue, I am unable to provide a detailed description of our cybersecurity capabilities in a public forum. However, I would be pleased to offer to you and your Committee staff a confidential briefing on this important issue.

Defense in Depth Strategy

At SSA, we employ a dynamic enterprise-wide cybersecurity program leveraging a defense-in-depth strategy to help protect our network, data, and employees while enabling the Agency’s mission and meeting customer expectations in a safe and secure environment. We work diligently to protect our information, detect attacks, identify suspicious activities, and systematically respond to software and hardware vulnerabilities. We collaborate with the Department of Homeland Security’s (DHS) United States Computer Emergency Response Team (US-CERT), the White House National Security staff, the Federal Chief Information Officer, and various law enforcement agencies to address cyber threats. We realize that technical solutions alone cannot combat adversarial threats in today’s threat landscape, and it is not a single technology or process that keeps Social Security information safe, but rather an integrated, holistic approach comprised of many different technologies, processes, procedures, standards, guidelines and awareness programs. Our defense-in-depth strategy is composed of the following seven layers:

  • A perimeter security layer, which deploys gateway protections where we connect to the external world;
  • A network security layer, which houses the cybersecurity protections on our internal network;
  • An endpoint security layer, which includes the security tools and technologies deployed on our laptops, workstations and mobile devices;
  • An application security layer; which are the controls around our Social Security software applications;
  • A data security layer, which are specific protections around our data;
  • A prevention layer, which are those processes that allow us to identify gaps in our cybersecurity posture and address them; and
  • A monitoring and response layer, which includes the protections in place to identify and respond to an incident.

Federal Cyber Sprint and the Cross-Agency Priority CyberSecurity Goals

I will now discuss the Agency’s performance on the Federal Cyber Sprint and the Cross-Agency Priority CyberSecurity goals.

Cyber Sprint of 2015: We continue to build on the work we initiated last July as part of the federal Cyber Sprint. During the Cyber Sprint, agencies focused on multi-factor authentication, privileged users, remediating critical vulnerabilities identified by DHS, and assessing high value information assets. A brief status of our efforts is below.

Multi-Factor Authentication - Personal Identity Verification (PIV) cards
One way to enhance the protection of agency data is to ensure employees utilize their Personal Identity Verification (PIV) card when logging onto agency computer systems. This two-factor authentication method makes it harder for unauthorized individuals to gain access to SSA’s network and systems and better protects sensitive agency data. We have issued PIV cards to 100% of the privileged users and 88% of unprivileged users on our network. We have a plan for completing the issuance of the remaining group of users in the State Disability Determination Services (DDSs) by December 2016.

Privileged Account Management
During the Cyber Sprint, we reduced the number of network privileged users in the Agency by 10 percent, and we continue to focus on controlling privileged accounts. Privileged accounts are user accounts with administrative privileges that possess a greater level of access than a regular user account. SSA is deploying new technology, which will allow us to control privileged accounts to a much greater degree, by letting users check out privileges only when needed, instead of having them assigned permanently. This will reduce the risk of these privileged accounts being compromised and used for malicious purposes.

Remediating Critical Vulnerabilities
The Agency was an early adopter of cyberhygiene scanning by the DHS. Weekly and on an ad-hoc basis, as needed, DHS scans SSA-owned IP ranges for vulnerabilities. SSA is one of ten Chief Financial Officer (CFO) Act Agencies that do not have any critical vulnerabilities as identified on DHS’ Federal Cyber Exposure Scorecard.

Assessing High Value Assets
We assessed and prioritized the SSA systems and data sources that utilize PII. We conduct regular security assessments of our high value assets including vulnerability and penetration tests. We are currently undergoing our second exercise with DHS to assess the controls around our highest value assets. Such assessments are designed to emulate the attacks of real-world adversaries.

Cross-Agency Priority (CAP) CyberSecurity Goals: SSA meets all nine of the CAP CyberSecurity Goals. These goals focus on the implementation of the continuous monitoring of hardware assets, software assets, configurations and vulnerabilities, the implementation of multi-factor authentication, and malware and anti-phishing defenses.

Cybersecurity Best Practices at SSA

We are often asked to share some of our best cybersecurity practices with other federal agencies. The following section outlines some of those practices.

Incident Response and our Security Operations Center: We have a robust Incident Response Plan that details the roles and responsibilities of Agency personnel involved in a response to a cyber incident or breach. These roles include personnel from all facets of the agency, including our Security Operations Center (SOC). The agency has an internal Security Operation Center (SOC) staffed without interruption that monitors the agency’s network environment to identify and detect suspicious activities, react to potential cybersecurity incidents, and ensure uninterrupted service delivery. The SOC leverages many technologies and capabilities to enable fast and accurate threat detection, remediation, and response to security incidents across the enterprise. Best practices in our SOC that we have shared with other federal agencies include:

  • A centralized repository and automated workflow for reporting PII loss incidents within the Agency and for reporting all suspicious incidents to US-CERT.
  • An automated solution that monitors when any user may be sending PII outside of the Agency in a non-secure manner. The program alerts and notifies management of any user that violates agency policy
  • Dashboards using a data aggregation tool that allow for trending incident data and reporting to agency executives. These metrics and reports improve executive decision-making by highlighting anomalies and providing data visualization.
  • A strong working relationship with US-CERT while sharing information on all cyber-related incidents.
  • Regular incident response exercises for both internal incidents (discovered by SSA) and external incidents (discovered by a third party). These tabletop exercises simulate the agency’s response to an incident. Each scenario identifies roles and responsibilities of specific SSA parties or components for each particular situation and provides a low-stress opportunity to practice incident response.

Enterprise Penetration Testing Program: One of our most effective information security defenses is our Enterprise Penetration Testing program, which we implemented in 2012. It has become a cornerstone of our cybersecurity program to defend against hacks and data breaches. Penetration testing is the method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders who do not have authorized access to our systems and insiders who have some level of authorized access. The process involves analyzing the system for potential vulnerabilities that result from system misconfigurations and software flaws, both known and unknown. We have a dedicated team of cybersecurity professionals that performs tests in an attempt to “hack ourselves” on a scheduled and on-going basis. The penetration testing process provides the Agency with a third layer of defense beyond our basic cyber hygiene practices of software patching and vulnerability scanning.

This program includes both overt and covert penetration tests, utilizing real-world scenarios. We continually evolve our penetration-testing program as new threats emerge. We track, monitor, and remediate all identified vulnerabilities. Further, we scan all public facing applications for vulnerabilities prior to releasing them to production. We leverage the responses to regularly scheduled exercises and tests to mature the posture and performance of our Security Operations Center.

We also work with outside auditors and provide them access to our systems if requested to perform independent testing. We remediate the vulnerabilities identified by the independent auditor, and we actively detect and remediate additional vulnerabilities both internally and externally. It is important to note that auditors have had no success in breaking into our systems from the outside.

Malware and Anti-Phishing Defenses: The Agency defenses for malware and phishing are a critical component of our cybersecurity program and build on our layers of defense and risk based approaches. We take a holistic approach, incorporating malware and phishing defenses into the various layers of protections at the perimeter, network, end-point, data, prevention, and response layers. We deploy a variety of technologies to detect potentially malicious activity at our gateways to the external world as well as within our internal network. We configure our infrastructure and place controls on user activity to limit the impact of potentially suspicious actions. Some specific best practices are:

  • The deployment of multiple technologies to automatically detect and remediate known malicious software at the virtual entry points into our infrastructure.
  • The early adoption and continued upgrade of our Trusted Internet Connection and the deployment of the DHS Einstein program to identify malicious traffic targeting SSA and prevent it from harming us.
  • The implementation of an enterprise wide social engineering program that tests our employees’ ability to recognize suspicious email messages and phone calls. We test all employees once a quarter with phishing exercises to continuously reinforce their skills.

Authentication for my Social Security: As the Acting Commissioner mentioned in her testimony, SSA has a robust set of on-line services for citizens to use to conduct Social Security business. We have offered a multi-factor authentication method for citizens to use to access services since fiscal year 2012. This summer, we will make multi-factor authentication mandatory for users. All customers must enter a username, password and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. This will ensure that the Agency on-line portal is consistent with the CyberSecurity Act of 2015, the National CyberSecurity Action Plan, and Executive Order 13681. We are working with NIST and other Federal agencies to identify improvements to the authentication process.

FISMA Compliance and Performance

FISMA mandates that we implement an effective information security program and requires us to regularly assess our major IT systems and report the assessment results in an annual report to OMB and Congress. Our defense-in-depth cybersecurity program ensures that we manage information security risks on a continuous basis, as directed by OMB. In a network of our size and complexity, something can always be better secured. In accordance with FISMA requirements, an independent auditor evaluates our information security program and systems annually. Over the years, these evaluations have found us to be in compliance with the law, but like any audit, have identified areas for improvement.

Our inspector general (IG) contracted with an independent auditor to complete the FY 2015 FISMA audit. The evaluation determined that we established an information security program and practices that were generally consistent with FISMA requirements. However, our overall score was lower than FY 2014. In June 2015, the scoring metrics used by the IG to calculate our FISMA score changed. In total, 21 individual metrics were eliminated—in each of which we had a passing score in FY 2014. This change in scoring methodology contributed to an overall decline in Federal agency scores. With the new methodology, we ranked sixth out of 24 CFO Act agencies with an overall score of 84 points. This year, the methodology will change in another area. FISMA scores will continue to reflect changes to the methodology. Agencies may need time to understand the new methodology and improve effectiveness based on these changes.

The majority of our reduced compliance metrics fell into the area of Risk Management. Throughout the evaluation, we engaged the auditor to explain our approach, provide documentation of our progress, and obtain feedback on their assessment. The auditor noted in FY 2015 that we made substantial improvements and progress in securing applications and managing vulnerabilities for the vast majority of our systems resources. We also improved our existing controls and implemented new controls and risk management processes in FY 2015. We completed actions on many recommendations from the FY 2014 and FY 2015 FISMA assessments and continue to address open recommendations.

In response to our auditor’s findings and recommendations, we expanded our penetration-testing program to include the analysis of external threats in addition to internal threats. We implemented a zero tolerance policy for weak credentials as we further refine our threat and vulnerability management program. We continue to emphasize prioritization and implementation of risk mitigation strategies and plans of action and milestones as we remediate vulnerabilities.

We continue to improve and standardize governance processes for IT applications within the agency. We established improved criteria for assessing the risk and security of applications. These steps help ensure our risk management requirements are effectively and consistently implemented across the organization. This includes our State DDSs, where we are accelerating the expansion of our suitability clearance process. We also implemented an automated, standardized DDS security plan template that each DDS completed. Given our competing needs and limited resources, we follow best practices and prioritize our actions for improvement to address the most significant risks first.

Conclusion

Again, thank you for the opportunity to testify about these important issues. To summarize our IT security program, I will reiterate that we have a holistic, integrated, defense-in-depth program that ensures we practice good cyber hygiene through constant patching, monitoring, scanning, alerting, and awareness training. While continuing these basic practices, we must constantly add new layers of technology and automation to reduce our reliance on outdated manual processes.

As the threat level evolves and escalates, all organizations must respond with newer and innovative defenses that will improve our ability to respond quickly. Our future cyber program will include the use of more analytics tools to identify threats faster and the use of automation to respond and remediate incidents more quickly.

We have increased the amounts that we expend on cybersecurity programs over the last three fiscal years. However, our resources are constrained, and we need adequate resources and funding to maintain and improve our vitally important cyber defenses and protect the PII of all of our citizens.

Thank you and I am happy to answer any questions.

 

Marti Eckert
Chief Information Security Officer
Social Security Administration

Image of Marti Eckert, Chief Information Security Officer, Social Security Administration

Marti Eckert is the Chief Information Security Officer (CISO) at the Social Security Administration (SSA), where she is responsible for the Agency’s Cyber Security Program, ensuring the protection of the Agency’s vast information technology resources.

A career federal employee, Marti has held various Information Technology executive positions at Social Security. She led the implementation of Social Security’s Business Services On-line suite of Internet applications which employers use to interact with Social Security. In 2006, she became the Deputy Associate Commissioner for the Office of Systems Electronic Services where she continued to lead the implementation of Social Security services on the Internet. In 2008, Marti made the switch from software development to hardware operations when she became the Assistant Associate Commissioner for Enterprise Information Technology Operations and Security where she was responsible for running Social Security’s day to day data center operations.

Before becoming the SSA CISO in 2013, Marti was the Deputy Associate Commissioner for Telecommunications and Systems Operations. Marti holds a B.A. degree in political science from the University of Dayton and an M.B.A. degree from Loyola University.

 

 

___________________________________________________________________________________________________________________________________________________