326 lines
No EOL
30 KiB
HTML
326 lines
No EOL
30 KiB
HTML
<!doctype html>
|
||
<html class="no-js" lang="en">
|
||
<head>
|
||
<!-- REQUIRED META INFORMATION -->
|
||
<meta charset="UTF-8" />
|
||
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
|
||
<meta name="viewport" content="width=device-width" />
|
||
|
||
<!-- DOCUMENT TITLE -->
|
||
<title>Statement of Robert Klopp, Deputy Commissioner for Systems and Chief Information Officer</title>
|
||
|
||
<!-- OCOMM META INFORMATION -->
|
||
<meta name="dc.creator" content="OLCA" />
|
||
<meta name="lead_content_manager" content="Chris Tino" />
|
||
<meta name="coder" content="Gary Davis" /><!-- OCOMM STYLES & SCRIPTS -->
|
||
<link href="/framework/css/phoenix.css" rel="stylesheet" media="all" />
|
||
<!-- SSA INTERNET HEAD SCRIPTS -->
|
||
<script src="/framework/js/ssa.internet.head.js"></script>
|
||
|
||
<!-- LEGISLATION STYLES -->
|
||
<link href="css/legislation.css" type="text/css" rel="stylesheet" media="all" />
|
||
<style type="text/css">
|
||
<!--
|
||
.my {
|
||
color: #F00;
|
||
}
|
||
social security {
|
||
color: #0080C0;
|
||
}
|
||
ss {
|
||
color: #0080FF;
|
||
}
|
||
.blue { color: #0080FF;
|
||
}
|
||
.blue { color: #004080;
|
||
}
|
||
.red { color: #F00;
|
||
}
|
||
.red { color: #F00;
|
||
}
|
||
.red {
|
||
color: #F00;
|
||
}
|
||
-->
|
||
</style>
|
||
|
||
<script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script>
|
||
<script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="LERZW-HECFS-R8H4E-23UQ7-ERMQB",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"LERZW-HECFS-R8H4E-23UQ7-ERMQB";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="vht6pfix22vgcz6v435a-f-2515db883-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"1204614","ak.ai":parseInt("728289",10),"ak.ol":"0","ak.cr":3,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"45bfa","ak.r":35636,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"169.231.231.0","ak.cport":42588,"ak.gh":"23.214.170.79","ak.quicv":"","ak.tlsv":"tls1.3","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"bbr","ak.t":"1742071546","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==4j+zPHw0SkJN4Hw+nKracHlZzc5P07mheFOYITbb4N4o+gzCYXKZgoXJW60HspGl7eHh7JMqK07xgTRRoZ87oSoUKAr5TSAFK9TfqtHOYLSXahS8IDETOdfA19BntnLRG60vpULcyMc7nj4caVuP1pEija6itZw55TZ6uxHIn+2e4a4mdx+tDhlV8DhHQ27xnt3Zt35ukFcVdaIY/PVxzXNcd3bh+UXGuRYSK6b41Y4SqE8DkSK+KEFDJ4gIzsPFq5UFcvCEz7jhS4XsQRapUtCh+0B5W/lwrCRVHmn70ycaaHnqDFCYEcbe6j4z9LcTWOOW/7KhBaacxp2o3m2oRHOgIl4SQ0wfMlmDA4qQ70506gvUn3KDCPWehZsw3eyFJnQq3u4NrsPqM+wD4XJfaCy7eAwgDGNfxIg2yRy/NWo=","ak.pv":"98","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head>
|
||
<body id="news">
|
||
<p>
|
||
<!-- PAGE CONTAINER -->
|
||
</p>
|
||
<div id="page">
|
||
|
||
<!-- PAGE HEADER -->
|
||
<div class="bg-dark-gray accessibility" id="accessibility"><a id="skip-navigation" href="#content">Skip to main content</a></div><ssa-header class="print-hide"><noscript><header class="banner-neo" id="banner" role="banner" style="background-color: #0b4778;"><div class="banner-wrapper"><h1 class="banner-logo"><a class="banner-logo__link" href="/">Social Security</a></h1><nav class="banner-nav" id="banner-nav"><a class="banner-nav__link banner-search" href="https://search.ssa.gov/search?affiliate=ssa" title="Search" target="_blank"><svg class="banner-nav__icon" focusable="false" width="24" height="24" viewbox="0 0 24 24"><path d="M 10 23 C 11.219 23 12.384 22.762 13.496 22.285 C 14.608 21.808 15.565 21.169 16.367 20.367 C 17.169 19.565 17.808 18.608 18.285 17.496 C 18.762 16.384 19 15.219 19 14 C 19 12.953 18.829 11.951 18.488 10.992 C 18.147 10.033 17.661 9.164 17.031 8.383 L 22.711 2.711 C 22.904 2.518 23 2.281 23 2 C 23 1.713 22.905 1.475 22.715 1.285 C 22.525 1.095 22.287 1 22 1 C 21.719 1 21.482 1.096 21.289 1.289 L 15.617 6.969 C 14.836 6.339 13.966 5.853 13.008 5.512 C 12.05 5.171 11.047 5 10 5 C 8.781 5 7.616 5.238 6.504 5.715 C 5.392 6.192 4.435 6.831 3.633 7.633 C 2.831 8.435 2.192 9.392 1.715 10.504 C 1.238 11.616 1 12.781 1 14 C 1 15.219 1.238 16.384 1.715 17.496 C 2.192 18.608 2.831 19.565 3.633 20.367 C 4.435 21.169 5.392 21.808 6.504 22.285 C 7.616 22.762 8.781 23 10 23 Z M 10 21 C 9.052 21 8.146 20.815 7.281 20.445 C 6.416 20.075 5.672 19.578 5.047 18.953 C 4.422 18.328 3.925 17.584 3.555 16.719 C 3.185 15.854 3 14.948 3 14 C 3 13.052 3.185 12.146 3.555 11.281 C 3.925 10.416 4.422 9.672 5.047 9.047 C 5.672 8.422 6.416 7.925 7.281 7.555 C 8.146 7.185 9.052 7 10 7 C 10.948 7 11.854 7.185 12.719 7.555 C 13.584 7.925 14.328 8.422 14.953 9.047 C 15.578 9.672 16.075 10.416 16.445 11.281 C 16.815 12.146 17 13.052 17 14 C 17 14.948 16.815 15.854 16.445 16.719 C 16.075 17.584 15.578 18.328 14.953 18.953 C 14.328 19.578 13.584 20.075 12.719 20.445 C 11.854 20.815 10.948 21 10 21 Z" transform="matrix(-1, 0, 0, -1, 24.000001, 24.000001)" vector-effect="non-scaling-stroke"></path></svg> <span>Search</span> </a><a class="banner-nav__link banner-menu" href="/menu" id="ssa-menu" title="Menu"><svg class="banner-nav__icon" focusable="false" width="24" height="24" viewbox="0 0 24 24"><path d="M3 5h18q.414 0 .707.293T22 6t-.293.707T21 7H3q-.414 0-.707-.293T2 6t.293-.707T3 5zm0 12h18q.414 0 .707.293T22 18t-.293.707T21 19H3q-.414 0-.707-.293T2 18t.293-.707T3 17zm0-6h18q.414 0 .707.293T22 12t-.293.707T21 13H3q-.414 0-.707-.293T2 12t.293-.707T3 11z" vector-effect="non-scaling-stroke"></path></svg> <span>Menu</span> </a><a class="banner-nav__link banner-languages" href="/es" id="ssa-languages" title="Español" hreflang="es"><svg class="banner-nav__icon" focusable="false" width="24" height="24" viewbox="0 0 24 24"><path d="M12 0C5.373 0 0 5.373 0 12s5.373 12 12 12c.812 0 1.604-.08 2.37-.235-.31-.147-.343-1.255-.037-1.887.34-.703 1.406-2.485.35-3.08-1.053-.6-.76-.868-1.405-1.56-.644-.692-.38-.796-.422-.974-.14-.61.62-1.523.656-1.616.035-.094.035-.446.023-.55-.012-.107-.48-.387-.597-.4-.117-.01-.176.188-.34.2-.164.012-.88-.433-1.03-.55-.154-.117-.224-.398-.435-.61-.21-.212-.235-.047-.562-.175-.327-.13-1.382-.516-2.19-.844-.81-.33-.88-.79-.892-1.114-.012-.325-.492-.797-.718-1.137-.225-.342-.267-.81-.348-.705-.082.106.422 1.336.34 1.37-.083.037-.26-.338-.493-.643-.235-.304.245-.14-.505-1.617-.75-1.476.235-2.23.282-3 .048-.77.633.28.328-.21-.304-.493.023-1.524-.21-1.9-.235-.374-1.57.423-1.57.423.034-.363 1.17-.985 1.99-1.56.82-.573 1.322-.128 1.982.083.66.21.703.142.48-.07-.222-.21.094-.316.61-.235.516.082.656.704 1.442.645.784-.06.08.152.186.35.105.2-.117.177-.633.53-.516.35.012.35.926 1.02.913.667.632-.447.538-.94-.094-.49.668-.105.668-.105.563.375.46.02.87.15.408.13 1.52 1.07 1.52 1.07-1.395.762-.516.844-.282 1.02.235.175-.48.515-.48.515-.294-.293-.34.012-.528.117-.187.105-.012.375-.012.375-.97.153-.75 1.173-.738 1.418.012.247-.62.622-.786.973-.164.35.423 1.113.117 1.16-.305.048-.61-1.148-2.25-.703-.495.134-1.593.703-1.008 1.863.585 1.16 1.558-.328 1.886-.164.33.163-.093.902-.023.913.07.012.927.033.974 1.032.048 1 1.3.914 1.57.938.27.023 1.173-.74 1.3-.774.13-.035.646-.47 1.77.175 1.126.644 1.7.55 2.086.82.387.27.117.81.48.985.365.176 1.818-.058 2.18.54.364.597-1.5 3.597-2.085 3.925-.586.328-.856 1.078-1.442 1.558-.69.563-1.418 1.076-2.18 1.535-.684.407-.807 1.137-1.112 1.367C19.984 22.52 24 17.73 24 12c0-6.627-5.373-12-12-12zm2.813 11.262c-.165.047-.504.352-1.336-.14-.832-.494-1.406-.4-1.477-.48 0 0-.07-.2.293-.236.747-.072 1.688.692 1.9.704.21.012.315-.21.69-.09.375.12.094.195-.07.242zM10.887 1.196c-.082-.06.068-.128.157-.246.05-.07.013-.182.078-.246.175-.177 1.043-.423.874.058-.17.48-.98.527-1.11.434zm2.098 1.523c-.293-.013-.983-.086-.856-.212.494-.492-.188-.633-.61-.668-.423-.036-.598-.27-.388-.294.21-.024 1.055.013 1.196.13.14.117.902.422.95.644.047.223 0 .41-.293.4zm2.542-.083c-.234.188-1.413-.673-1.64-.867-.985-.844-1.513-.563-1.72-.703-.206-.142-.132-.33.184-.61.318-.282 1.21.094 1.724.152.516.058 1.113.457 1.125.93.01.474.562.91.327 1.097z" vector-effect="non-scaling-stroke"></path></svg> <span>Español</span> </a><a class="banner-nav__link banner-signin" href="https://secure.ssa.gov/RIL/SiView.action" id="ssa-signin" title="Sign in" target="_blank"><svg class="banner-nav__icon" focusable="false" width="24" height="24" viewbox="0 0 24 24"><path d="M12 17.016q-.797 0-1.406-.61t-.61-1.405.61-1.405 1.406-.61 1.406.61.61 1.406-.61 1.407-1.406.61zm6 3V9.986H6v10.03h12zm-6-17.11q-1.266 0-2.18.914T8.906 6H9v2.016h6.094V6q0-1.266-.914-2.18T12 2.906zm6 5.11q.797 0 1.406.586t.61 1.383v10.03q0 .798-.61 1.384T18 21.984H6q-.797 0-1.406-.586t-.61-1.384V9.986q0-.798.61-1.384T6 8.016h.984V6q0-2.063 1.477-3.54T12 .985t3.54 1.477T17.015 6v2.016H18z" vector-effect="non-scaling-stroke"></path></svg> <span>Sign in</span></a></nav></div></header></noscript></ssa-header><script src="https://www.ssa.gov/legacy/components/dist/ssa-header.js"></script>
|
||
|
||
<!-- PAGE NAVIGATION -->
|
||
<a class="btn-top-menu show-phone" id="btn-top-menu" href="#nav-top-menu">OLCA MENU</a>
|
||
<nav class="nav-top-menu hide-print" id="nav-top-menu" role="navigation">
|
||
<ul>
|
||
<li><a href="/legislation/index.html">OLCA Home</a></li>
|
||
<li><a href="/legislation/118th.html">118th Congress</a></li>
|
||
<li><a href="/legislation/priorcongress.html">Prior Sessions of Congress</a></li>
|
||
<li><a href="/legislation/resources.html">Program Resources</a></li>
|
||
<li><a href="/legislation/other.html">Other Materials for Congress</a></li>
|
||
</ul>
|
||
</nav>
|
||
|
||
<!-- PAGE TITLE -->
|
||
<div id="title-bar">
|
||
<h2>Social Security Testimony Before Congress</h2></div>
|
||
|
||
<!-- PAGE CONTENT -->
|
||
<div id="content" role="main">
|
||
|
||
<!-- GRID SYSTEM -->
|
||
<div class="grid">
|
||
<div class="row-12">
|
||
|
||
<!-- BREADCRUMBS
|
||
<div class="column-12">
|
||
<ul class="breadcrumb">
|
||
<li><a href="home.html">Office of Legislation and Congressional Affairs</a><span class="divider">/</span></li>
|
||
<li class="active">News</li>
|
||
</ul>
|
||
</div>
|
||
<div class="clear"> </div>
|
||
-->
|
||
|
||
<!-- NEWS - PAGE 1 -->
|
||
<div class="column-12 topic">
|
||
<p> </p>
|
||
<p align="center"><strong>Statement of Robert Klopp, <br>
|
||
Deputy Commissioner for Systems and Chief Information Officer<br>
|
||
Social Security Administration<br>
|
||
before the House Committee on Oversight and Government Reform, Subcommittee on Information Technology</strong></p>
|
||
<p align="center"><strong> November 16, 2016<br><br>
|
||
</strong></p>
|
||
<p>Chairman Hurd and Ranking Member Kelly, thank you for inviting me to testify today to discuss
|
||
cybersecurity at the Social Security Administration (SSA).</p>
|
||
<p> In this testimony I will provide you with an update that describes our progress and open issues
|
||
related to the external audits of our cybersecurity program; I will provide you with an update
|
||
related to other projects that have resulted from our own examination of our systems; and I will
|
||
provide you with a status of our efforts to protect personal information. </p>
|
||
<p>I would like to suggest one issue on-the-record for consideration by the Committee. The Council
|
||
of Inspectors General has established a measurement standard for compliance with the Federal
|
||
Information Security Management Act (FISMA) Information Technology (IT) Security
|
||
guidelines. Unfortunately, the standard has changed significantly each of the past three years
|
||
and, as a result, one cannot judge progress against a standard set of criteria. In FY 2015, the
|
||
Inspectors General (IGs) introduced a maturity model for Information Security Continuous
|
||
Monitoring, which, as stated in the Office of Management and Budget’s (OMB) Annual Report
|
||
to Congress, led to a decrease in overall agencies scores. In FY 2016, the IGs introduced a
|
||
second maturity model for Incident Response, which will likely lead to a further decrease in
|
||
scoring due to the scoring methodology. The maturity model provides agencies with context for
|
||
performing risk assessments and identifying the optimal maturity level that achieves costeffective
|
||
security based on their missions and risks. The IGs indicate that they plan to coordinate
|
||
with the Department of Homeland Security (DHS), OMB, and other key stakeholders, and
|
||
extend the maturity model to other security domains for IGs to utilize in their FY 2017 FISMA
|
||
reviews. In the meantime, however, metrics for those domains without an established maturity
|
||
model are mapped to Maturity Model Indicators. These indicators will act as a stepping-stone,
|
||
allowing IGs to reach preliminary conclusions similar to those achievable with a fully developed
|
||
model. </p>
|
||
<p>We will continue to work with our Inspector General to address deficiencies across these areas. </p>
|
||
<p>To that end, the SSA cybersecurity team is recognized as one of the better teams in the federal
|
||
government. As I describe in my testimony, we have made significant strides forward since our
|
||
last visit before this Committee in May. </p>
|
||
<p>In our last hearing, some Members voiced concerns about a lack of leadership on cybersecurity
|
||
at the agency. I appreciate this concern, but I also think we need to be careful about assuming
|
||
that any security weakness is the result of bad management. If the fact that there are
|
||
vulnerabilities in our IT infrastructure reflects a lack of leadership, then I accept the
|
||
responsibility for the lack of leadership. If the criteria is that, if DHS finds anything wrong, this
|
||
reflects a lack of leadership, then I accept the responsibility. But this also means that every
|
||
agency that has a vulnerability, exploited or not, has a leadership issue – and that means every
|
||
agency, not just SSA. </p>
|
||
<p>The cost of continuously deploying ever better cybersecurity is growing with the many threats
|
||
from bad actors. The ability to protect legacy systems becomes more difficult as modern cyber
|
||
defenses are not built to protect 30-year-old systems.</p>
|
||
<p>The SSA can shift funding from our IT budget for cyber, but soaking up any savings by spending
|
||
it on cyber does not fund continuous improvement. It does not fund IT modernization. The idea
|
||
that the SSA, or any agency, can do more in cyber while simultaneously rebuilding our IT
|
||
infrastructure is no less a fantasy than the idea that the country can modernize any other
|
||
infrastructure – our roads, our dams, our electric grid, our military – without an investment. </p>
|
||
<p>My testimony includes a request to modernize IT and to fund improvements in cyber defenses.
|
||
Wishing for better IT from cost cutting will not help. Wishing for cost-cuts with no investment
|
||
will not help. Passing legislation without providing funding is not enough. </p>
|
||
<p>In the remainder of this testimony, I will outline the issues and remediation undertaken by my
|
||
cybersecurity staff since our last hearing. </p>
|
||
<p><strong>OIG FISMA Audit </strong></p>
|
||
<p>In 2015, the Office of the Inspector General (OIG) FISMA Audit identified several areas where
|
||
the agency needed to improve our program. </p>
|
||
<p>In FY 2016, we made substantial improvements and progress in securing applications and
|
||
managing vulnerabilities for the vast majority of our systems resources. </p>
|
||
<p>It was noted that we needed to improve our application of the National Institute of Standards and
|
||
Technology (NIST) Risk Management Framework (RMF) requirements for our remote locations:
|
||
regional offices, program service centers, and Disability Determination Service systems. This is
|
||
a significant undertaking. </p>
|
||
<p>During Fiscal Year (FY) 2016, we established a security assessment and authorization process
|
||
that resulted in providing authority to operate (ATO) for 221 software applications in our
|
||
regional offices and program service centers. This regional ATO process builds on our mature
|
||
and robust RMF process for our centralized systems. We also improved our system inventory
|
||
management process by expanding the use of an automated inventory software to capture details
|
||
about applications housed remotely. We have not closed this issue but we are making significant
|
||
progress. </p>
|
||
<p>We conducted a review of our national teleservice center system hosted by AT&T. After
|
||
directing the vendor to make a series of changes, we granted an ATO. We conducted security
|
||
reviews of other external contractor-operated systems using the same NIST processes we use for
|
||
our internal systems. We include contractor systems in our automated inventory. </p>
|
||
<p>Auditors noted room to improve our access controls in order to prevent unauthorized access to
|
||
our systems and data. </p>
|
||
<p>In FY 2016, we implemented an automated Security Access Management portal solution to
|
||
replace our paper-based access request and approval process and established an authoritative
|
||
database for contractor access. We implemented a Security Administration Reports Application
|
||
and began the implementation of an automated Access Removal Tool for terminating or
|
||
disabling logical and physical access for separated employees and/or contractors.</p>
|
||
<p>We expanded our user account review process to increase our focus on privileged user accounts
|
||
and procured a new technical solution to further strengthen and automate management over our
|
||
privileged user accounts. </p>
|
||
<p>We updated our security and privacy training to reflect the current threat landscape. Nearly
|
||
85,000 of our employees and contractors completed our annual training that covered a range of
|
||
topics including protection of sensitive data, such as personally identifiable information, and how
|
||
to prevent, detect, and report security incidents or suspected incidents when they occur.
|
||
Additionally, we conducted ongoing training exercises to test our users’ ability to detect social
|
||
engineering attacks such as email phishing. </p>
|
||
<p>The auditor cited a weakness in tracking completion of security awareness training for all
|
||
contractors. </p>
|
||
<p>We previously noted the establishment in FY 2016 of a contractor database. This database will
|
||
log contractors’ completion of mandatory security and privacy awareness training. </p>
|
||
<p>Audits suggested that we needed to continue improving our threat and vulnerability management
|
||
process. </p>
|
||
<p>In FY 2016, we expanded our enterprise-wide penetration-testing program and implemented new
|
||
tools to improve our detection of potential vulnerabilities across our network. This
|
||
implementation has allowed us to find certain security threats in near real time. </p>
|
||
<p>The auditor cited a weakness that SSA had not implemented plans to close Information Security
|
||
Continuous Monitoring skill gaps, knowledge, and required resources. </p>
|
||
<p>We began working with DHS under their Continuous-Monitoring-as-a-Service phase of the
|
||
Continuous Diagnostics and Mitigation (CDM) program, which will allow us to feed information
|
||
automatically about our asset, configuration and vulnerability posture directly to DHS to feed the
|
||
federal dashboard, thereby improving visibility into all federal agencies. It also provides us with
|
||
new capabilities to prevent unauthorized software on our network. While we have trained staff
|
||
with the necessary skills and resources to meet all CDM program requirements, we face
|
||
challenges similar to all Federal agencies in attracting and retaining cybersecurity talent. </p>
|
||
<p><strong>DHS Cyber Exercises </strong></p>
|
||
<p>We participated in several exercises where DHS staff were allowed access to our systems to find
|
||
issues. There are several recommendations resulting from these exercises.
|
||
We have created a regimen that allows both DHS and our cyber staff to scan the mainframe
|
||
environment regularly for vulnerabilities. Our regularly scheduled scans have found no
|
||
significant issues there to date.
|
||
In addition, at our last hearing before HOGR it was pointed out that we needed to change the
|
||
process where we notified OIG of a DHS exercise but waited for a formal request from them for the results, to a process where we automatically shared results after each exercise. We have done
|
||
so. </p>
|
||
<p><strong>FITARA Scorecard</strong></p>
|
||
<p>In the May 2015 Federal Information Technology Acquisition Reform Act (FITARA) scorecard
|
||
the agency received an overall grade of “C.” Although we received high grades in some
|
||
categories, we received “F”s in two categories. </p>
|
||
<p>We received an “F” for “Incremental Development.” Our efforts to reduce time and increase the
|
||
number of times we deliver product increments is paying off. In addition, we are actively
|
||
pushing Agile development methods in order to improve further our ability to develop software
|
||
faster and cheaper. </p>
|
||
<p>We also received an “F” for “Data Center Consolidation.” Since our last hearing, we have
|
||
finished the development and deployment of our data center. Recently, your staff toured
|
||
the facility and, it is my understanding, they came away impressed. With the closure of this
|
||
project, the agency is fully consolidated and runs only two data centers: a primary and a back-up.
|
||
This should improve our grade to an “A,” fully consolidated. </p>
|
||
<p>We believe that these two improvements would push our overall grade to a “B” if the criteria
|
||
were to stay the same. </p>
|
||
<p><strong>Internal Projects and Status </strong></p>
|
||
<p>This topic provides an overview of capabilities-in-place and of other projects unrelated to
|
||
external parties. </p>
|
||
<p><strong>General Notes </strong></p>
|
||
<p>The agency is incubating a series on modern IT capabilities in preparation for a series of funded
|
||
IT modernization programs. Each of these new technologies goes through a comprehensive
|
||
review before receiving an ATO. </p>
|
||
<p><em>Cloud Computing</em><br>
|
||
We utilize the General Services Administration’s Federal Risk and Authorization Management
|
||
(FedRAMP) program to guide the security of our cloud-based systems. In FY 2016, we issued
|
||
our first provisional cloud ATO for our Agency Cloud Infrastructure platform as a service. </p>
|
||
<p><em>Enterprise Data Warehouse</em><br>
|
||
We are deploying new Open Source technologies as part of the first agency-wide decision
|
||
support/ Enterprise Data Warehouse product. These technologies build upon the ATO for cloud
|
||
computing and this new platform has received authorization to operate.</p>
|
||
<p><em>Identity Assurance for Public Facing Applications</em></p>
|
||
<p> The agency is planning to implement methods that adhere to the NIST Identity Assurance Level
|
||
3, when providing a citizen access to our online services. </p>
|
||
<p>This fall, the agency moved to improve our ability to authenticate users with existing IDs by
|
||
implementing a technique called multi-factor authentication (MFA). Our implementation of
|
||
Multi-factor authentication requires users to respond to a prompt sent to a device in their
|
||
possession. </p>
|
||
<p>Unfortunately, our implementation created a security barrier that some citizens could not
|
||
overcome so we backed out MFA and immediately began designing a new MFA approach that
|
||
would implement secondary factors that allow any computer user to login. We expect this new
|
||
protection to be deployed in the first half of calendar 2017. </p>
|
||
<p><em>Incident Response </em></p>
|
||
<p>We have a comprehensive Incident Response process in place. We prepare, plan and conduct
|
||
Incident Response testing every six months. Our testing in FY 2016 included establishing a
|
||
process to fund our recovery in the event of a large-scale breach. We also have an automated
|
||
capability to report personally identifiable information losses and incidents detected by our
|
||
Security Operations Center to DHS’ United States Computer Emergency Readiness Team
|
||
(US-CERT) within the required timeframes. </p>
|
||
<p>We perform a range of agency-wide activities designed to identify threats to our agency mission
|
||
and operations, and plan for the recovery of IT assets needed to support our essential functions.
|
||
We have established Continuity of Operations Plans (COOP) at the agency and component
|
||
levels, which identify our mission essential functions. We have conducted a Business Impact
|
||
Analysis to determine the potential adverse impact that the loss of our IT infrastructure would
|
||
have on our ability to perform essential functions. We have further developed a Disaster
|
||
Recovery plan that provides for full redundancy of our major systems. We conduct annual
|
||
COOP testing and disaster recovery exercises that test the recovery of our major systems. </p>
|
||
<p><strong>IT Modernization </strong></p>
|
||
<p>I would like to emphasize that we also need to modernize our legacy systems to provide the
|
||
modern infrastructure that incorporates modern cyber defenses. As we head into this period
|
||
where a significant portion of our IT staff becomes eligible for retirement, we need to begin
|
||
long-term efforts to modernize our infrastructure, our data architecture, and our software
|
||
intellectual property. We need to accomplish this while we keep the current systems
|
||
incrementally advancing and while we continue to expand our commitment to cybersecurity.
|
||
The Administration’s proposal for the IT Modernization Fund would provide an additional
|
||
opportunity to secure much needed IT modernization funding. </p>
|
||
<p>To that end, we need a sustained, long-term investment to make the changes needed to develop a
|
||
fully modern IT infrastructure that is capable of supporting the immense responsibilities I
|
||
described earlier in my testimony. That is why the President’s Budget for FY 2017 requests multiyear funding of $300 million spread over four years, to undertake an IT modernization
|
||
project that will bring our systems current. In FY 2017, $60 million is included as part of the
|
||
FY 2017 President’s Budget. The FY 2017 President’s Budget also contains a mandatory
|
||
proposal for additional IT modernization funding – $80 million each year in FYs 2018-2020.
|
||
The project will require effort and long-term investment in several areas including modernization
|
||
in computer languages, databases, and infrastructure. </p>
|
||
<p>We need this additional IT modernization funding because our annual funding levels have been
|
||
insufficient to undertake this important IT work. We are working hard to manage the agency
|
||
with far less money than we need. Our FY 2016 enacted budget was around $350 million less
|
||
than the President’s Budget request. As a result, we are seeing service degradation in many
|
||
areas. SSA’s core operating budget has shrunk by 10 percent since FY 2010 after adjusting for
|
||
inflation, while the number of Social Security beneficiaries rose by 12 percent over the same
|
||
period. We are greatly concerned about FY 2017, when we will serve a record number of
|
||
beneficiaries, at a time when people are already facing longer wait times for service in our
|
||
frontline offices. </p>
|
||
<p>Each year, over $300 million of our budget represents fixed cost growth for things such as
|
||
increases in salaries, benefits, rent for our buildings, and guard costs. The continuing resolution
|
||
(CR) leaves us with few resources to improve overall service. With services already in a fragile
|
||
state, it is critical that we receive sufficient funding when Congress passes a full-year budget for
|
||
FY 2017 – and it is critical to receive adequate funding to carry out IT modernization to protect
|
||
the public’s data and enhance service to the public. The FY 2017 President’s Budget request of
|
||
$13.067 billion is necessary to rebound from this year’s constraints, to improve service to the
|
||
public, to maintain service hours to the public in our offices, and to begin the needed work to
|
||
protect and modernize our IT infrastructure. I would be happy to have our budget office brief
|
||
you or your staff in greater detail. </p>
|
||
<p><strong>Conclusion </strong></p>
|
||
<p>Thank you for holding this hearing. I would be pleased to answer any questions you may have.</p>
|
||
<p> </p>
|
||
</div>
|
||
|
||
|
||
|
||
</div><!-- end .row-12 -->
|
||
|
||
</div><!-- end grid -->
|
||
</div>
|
||
|
||
<!-- end #content -->
|
||
|
||
<!-- PAGE FOOTER -->
|
||
|
||
</div><!-- end #page -->
|
||
<!-- OCOMM BODY CONTENT -->
|
||
<!-- SSA INTERNET BODY SCRIPTS -->
|
||
<script src="/framework/js/ssa.internet.body.js"></script>
|
||
|
||
</body>
|
||
</html> |