Lack of leadership on SSN use
- By Chase Gunter
The government's effort to reduce its reliance on Social Security numbers is progressing too slowly and continues to face challenges at the agency level, according to a recent report by the Government Accountability Office.
The numbers, which serve as unique identifiers for individual Americans, were never intended to be proxy IDs, and their widespread use exposes citizens to the possibility of identity theft.
GAO auditors said one reason it is difficult for agencies to move away from using Social Security numbers is the lack of guidance from the Office of Management and Budget.
Around 2007, OMB and the Social Security Administration made pushes to migrate from the number, and the 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the effort's urgency.
Auditors reported that all 24 CFO Act agencies have developed plans to curb the use and display of social security numbers, but agencies continue to struggle in actually reducing their collection of and reliance on the numbers.
The agencies' reduction plans are supposed to comprise four criteria -- performance goals and indicators, measurable activities, timelines for completion, as well as roles and responsibilities. However, their thoroughness varies significantly.
Only two agencies -- the Departments of Commerce and Education -- address all four elements, and two -- the Department of Energy and the General Services Administration -- address none.
However, individual agencies are using IT to cut down on the transmittal of SSNs. For example, the Bureau of Economic Analysis within the Department of Commerce implemented a filter to block e-mails containing SSNs, and the Department of Justice's systems automatically block e-mails to external, nongovernmental users when an SSN is detected.
Even where reductions can be made, regulatory, operational and technical obstacles stand in the way. Agency officials told auditors that SSNs cannot be entirely eliminated from federal IT systems and records because of a mix of laws and longstanding practice.
Officials from 14 agencies said that reducing the use, collection and display of SSNs would require complex technological challenges to key software applications and information systems.
"SSN reduction efforts in the federal government have also been limited by more readily addressable shortcomings," the report states. Specifically, GAO points a finger at OMB's poor planning and ineffective monitoring for agencies' shortcomings.
Reduction plans are supposed to be based on unnecessary use and display of social security numbers, but OMB hasn't provided criteria for determining what "unnecessary" constitutes, leaving interpretations up to agencies' interpretations.
Additionally, OMB does not require agencies to submit progress updates or to maintain inventories of systems that contain SSNs, which makes measuring agencies' progress in reducing SSNs difficult, the report states.
"Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall government-wide reduction efforts will likely remain limited and difficult to measure," the report states.
Auditors recommended OMB to require all agencies to develop and maintain SSN reduction plans, to inventory which of their systems contain SSNs and to submit annual status reports.
Additionally, auditors recommend that OMB define "unnecessary" collection and use of SSNs and establish performance measures of agency progress.
OMB did not provide comments on the recommendations.